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Abstract 


Quantum computing provides a new computational model that is only restricted 
by the laws of quantum physics. It has caused fundamental changes in many 
scientific fields. This thesis studies the strengths and limits of quantum computing 
from a cryptographic perspective. Our main focus is on investigating how secure 
computation, a central subject in classical cryptography, changes in a quantum 
world. In another endeavor, we also examine the potential of efficient quantum 
algorithms for solving some computational problems, which are regarded hard 
classically and are used in cryptographic constructions. 

Secure computation allows a group of players to jointly perform a computa¬ 
tional task on their private inputs without revealing more information about their 
inputs beyond what the output values imply. There are secure protocols that can 
realize any poly-time computation task under various conditions [Yao86, GMW87, 
CLOS02, Kil88]. However, these classical protocols may become insecure in pres¬ 
ence of quantum attacks. First of all, quantum algorithms, e.g., Shor’s quantum 
factoring algorithm [?], can solve some computational problems efficiently, which 
are otherwise assumed hard classically to construct cryptographic protocols. Even 
if we assume some problems are also hard for quantum computers, classically se¬ 
cure protocols based on them can still be broken by a quantum attacker without 
solving the hard problem necessarily. On the other hand, we can also exploit quan¬ 
tum computing capability in a positive way. For example, Bennett et al. [BBCS91] 
constructed a quantum protocol for oblivious transfer (OT) that is secure against 
unbounded attackers, assuming existence of an ideal commitment protocol. Re¬ 
markably, such a goal is unattainable using purely classical protocols. 

In view of these challenges and opportunities, we make two major contribu¬ 
tions in the realm of secure computation: first we prove that there are classical 
protocols for computing any poly-time function securely against poly-time quan¬ 
tum attackers and show that a large family of classical protocols can be made 



secure against quantum attackers. This means that the classical feasibility pic¬ 
ture largely remains unchanged in the presence of quantum attacks. Second, we 
construct a quantum OT protocol assuming a task called 2-bit cut-and-choose is al¬ 
ready realized, which gives another demonstration of separation between quantum 
and classical protocols in the flavor of [BBCS91]. Along the way we also develop 
new tools that are useful when analyzing quantum cryptographic protocols. As 
an application of our two-fold investigation into secure computation in a quan¬ 
tum world, we are able to give an almost thorough categorization of an important 
class of two-party secure computation tasks. Very roughly speaking, if we consider 
quantum poly-time attackers, there is a zero-one law, analogous to the classical 
setting [MPR10]: every task is either feasible or it can be used to realize any other 
task. Whereas in the presence of unbounded attackers, every task belongs into 
one of three mutually exclusive subclasses, in contrast with the more complicated 
classical picture [MPR09, KMQ11], 

As we have seen, certain computational assumptions can be broken by effi¬ 
cient quantum algorithms. It is thus crucial to understand which problems are 
easy or hard for quantum computers. In this direction, we show evidence that 
an important number-theoretical problem can by solved by an efficient quantum 
algorithm. Specifically, we show that finding the group of units in a number field 
of arbitrary degree (Unit-Finding) can be reduced to an hidden subgroup problem 
(HSP). The best classical algorithm requires super-polynomial time to compute the 
units. Therefore it has also been used to as a candidate of hardness assumption 
for cryptographic constructions. However, our result indicates that finding units is 
potentially easy on a quantum computer, as the HSP instance to which we reduce 
is a natural generalization of the HSP instances for which there exist efficient quan¬ 
tum algorithms (e.g., HSP over finite Abelien groups and over constant-dimension 
real spaces). Thus we have made the first substantial step towards a complete 
quantum algorithm solving Unit-Finding. 
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Chapter 



Introduction 


The technological advances in quantum information processing and new algorithms 
in the quantum computing model have brought about fundamental changes in a 
broad spectrum of scientific disciplines. Cryptography is one of them, and arguably 
the one that encounters the most severe challenges in a quantum world. Notably, 
there are efficient quantum algorithms that solve computational problems other¬ 
wise deemed hard for classical computers, such as factoring, discrete-logarithm 
and Poll’s equation [Sho97, Hal07]. Consequently, many existing cryptographic 
constructions are no longer secure against a quantum attacker. This, for example, 
includes the RSA encryption scheme that is deployed widely especially over the 
Internet 1 . This thesis systematically studies how quantum computing changes a 
central subfield in cryptography: secure computation. We also examine the po¬ 
tential of efficient quantum algorithms for solving computational problems, which 
are regarded hard classically and are used in cryptographic constructions. 

Secure computation, first introduced by Yao [Yao82], is concerned with the 
following problem: a group of players wants to design a protocol to carry out some 
computational task jointly on their inputs (e.g., computing the average of their 
wages) but they are unwilling to reveal their private inputs to other players for 
various reasons. Loosely speaking, the protocol needs to be secure, as if there 
were a trusted party who receives inputs from the players via secret channels, 


1 Every time one clicks an “https” link, an instance of RSA is invoked. 
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computes the desired output values and sends them back to the players again 
via secret channels. As ambitious as this goal may sound, amazingly, generic 
solutions exist. Yao [Yao86] and Goldreich et al. [GMW87] showed that if all 
players are computationally bounded (i.e., run polynomial-time algorithms), then 
there are secure protocols to compute any poly-time computable function based on 
reasonable computational assumptions (e.g., existence of trapdoor permutations). 
If some dishonest players have unbounded computational resources, as long as the 
majority of them are honest, secure computation is still feasible as shown by Ben-Or 
et al. [BOGW88] and Chaum et al. [CCD88]. Later works extend these results and 
showed that there are protocols for secure computation that remain secure even if 
multiple instances of (possibly different) protocols are being executed concurrently , 
provided that the number of concurrences is a priori bounded [Pas04, Lin06] or 
if we are willing to assume some trusted setup available to the players, such as a 
common random string [CF01, CLOS02, IPS08]. 

These protocols were proven secure against classical attackers. More specifi¬ 
cally, security against bounded attackers relies on two ingredients. The first is an 
underlying computational assumption , e.g., factoring is hard for classical comput¬ 
ers. The second is a security proof (a.k.a. security reduction) showing that if an 
attacker learns more in a protocol than what it can learn when interacting with 
a trusted party for the task, one can then break the computational assumption 
with the help of the attacker. In the presence of unbounded attackers, prov¬ 
ing security usually boils down to deriving information-theoretical bounds, e.g., 
upper-bounding the min-entropy of a honest player’s secret information even if an 
attacker may possess some side information about the secret. 

A natural question arises then: are these classical protocol for secure compu¬ 
tation still secure against quantum attackers ? A quick answer is not all of them, 
because some computational assumptions become invalid due to efficient quantum 
algorithms, e.g., the quantum factoring algorithm mentioned before. A tempting 
approach to remedy this would be to switch to quantum-immune assumptions, i.e., 
problems that are not (known to be) easily solvable on quantum computers. How¬ 
ever, this approach does not immediately work because of a more fundamental and 
often subtle issue. Namely the security proofs and techniques that handle classical 
attacks may not be valid any more in the presence of quantum attackers. For in- 
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stance, a key technique for basing security of a protocol on an underlying hardness 
assumption is rewinding. However, there is fundamental difficulty to make rewind¬ 
ing arguments go through against quantum attackers in general. Loosely speaking, 
rewinding proofs consist of a mental experiment in which the adversary is run mul¬ 
tiple times using careful variations on its input. At first glance, rewinding seems 
impossible with a quantum adversary since running it multiple times might mod¬ 
ify the entanglement between its internal state and an outside reference system, 
thus changing the system’s overall behavior. The potential breakdown of classical 
proof techniques is also meaningful even in the setting of unbounded attackers. 
For example, some randomness extractors will fail if an adversary keeps quan¬ 
tum side information [KR11, DPVR12], More interestingly, as shown by Crepeau 
et al. [CSST11], a two-sender commitment protocol, which is secure against un¬ 
bounded classical dishonest senders, will be broken if senders can share entangled 
quantum states. This makes the issue not only a theoretical concern but of fatal 
consequence in practice, since preparing entangled states is already feasible by cur¬ 
rent technology. It is thus critical to understand what classical protocols remain 
secure, and more generally do classical feasibility results hold, against quantum 
adversaries? 

These two questions form the first major focus of this thesis. Before our work, 
only a few protocols for some specific tasks were known to resist quantum attacks. 
These include, for example, GMW-style zero-knowledge proof protocols for NP 
languages [Wat09], Blum’s coin flipping protocol [DL09], a generic compiler from 
honest-verifier to malicious-verifier zero-knowledge [HKSZ08], and proof of knowl¬ 
edge protocols for Hamiltonian cycles [Unrl2]. Essentially, all of those results were 
based on a rewinding technique tailored to quantum adversaries developed by Wa- 
trous in his breakthrough work [Wat09]. However this technique does not suffice to 
“lift” all classical rewinding arguments to work against quantum attackers, and in 
particular whether the general solutions of Yao [Yao86] and GMW [GMW87] still 
hold in the quantum setting is left open. Even less was present in the literature 
regarding the quantum security of protocols that allow concurrent composition as 
those in [CLOS02], Unruh [UnrlO] conjectured that they should remain secure 
as long as we provide quantum-immune assumptions, however no formal evidence 
was shown. Our main contribution answers affirmatively the question of general 
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feasibility of secure computation against quantum attacks. Namely we show that 
there are classical protocols for computing any poly-time function securely against 
poly-time quantum attackers. As one of the building blocks, we show that proto¬ 
cols in [CLOS02] can be made secure against quantum attacks. This gives the first 
rigorous evidence in support of Unruh’s conjecture. 

The second major topic of this thesis, in a different vein, investigates how to use 
the ability of quantum computing in a positive way. For example, one can design 
quantum protocols which involve exchanging and processing quantum information 
to “outperform” classical ones or even realize tasks that classical protocols can¬ 
not. A well-known example is quantum key distribution (QKD) protocols that 
allow two players to establish a shared secret key in the presence of an unbounded 
eavesdropper [BB84, Eke91]. Remarkably, such a goal is unattainable using purely 
classical protocols. There is another example that is more relevant in the setting 
of secure two-party computation. Bennett et al. [BBCS91] constructed a quantum 
protocol for oblivious transfer (OT) that is secure against unbounded attackers, 
assuming existence of an ideal commitment protocol. In contrast, again, classi¬ 
cal protocols cannot achieve such a goal. It is thus interesting to identify other 
instances that exemplify a separation between quantum and classical protocols. 
Meanwhile such explorations could also give insights on the power of quantum 
computation from a cryptographic perspective. Our main contribution is showing 
another separation in the flavor of [BBCS91] with new tools developed to analyze 
quantum cryptographic protocols. 

Finally, we have seen that there are efficient quantum algorithms breaking some 
computational assumptions. It is thus critical to understand which problems are 
easy or hard on quantum computers so that we can base cryptographic construction 
on solid hardness assumptions. This consists of the third topic of this thesis. Notice 
that most existing quantum algorithms that give rise to exponential speedup fall 
into those solving a general class of Hidden Subgroup Problems (HSP), where we 
are given an efficiently computable function on a group G with the promise that it 
is constant within each coset of a subgroup H, but has distinct values over different 
cosets. The goal is to find the subgroup H. Shor’s algorithm, for instance, reduces 
factoring to HSP on a cyclic group, and then he gives a quantum algorithm to solve 
this HSP instance. Our work explores further what can (or cannot) be solved in 
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the HSP framework. We show that a very basic algebraic problem—finding the 
unit group of a number field—can be reduced quantumly to a (generalized) HSP 
instance. Though we do not know yet an efficient algorithm for the HSP instance 
in our reduction, this is the first major step and gives evidence that hireling units 
is easy on a quantum computer. 

Main Results. This thesis studies the basic question of how (classical) cryp¬ 
tography changes in a quantum world and makes substantial contributions in all 
aspects mentioned above. We show that the general feasibility result of Goldreich 
et al. [GMW87] still holds against quantum attacks. Namely, we construct classi¬ 
cal protocols for secure computation of any function that are quantum-secure. We 
also show a quantum protocol that achieves a goal which is impossible classically. 
This gives another instance of separation between classical and quantum protocols. 
Finally, we show that finding units in a number held, an important problem with 
many applications in number theory, reduces to a hidden subgroup problem. This 
implies hireling units is potentially easy on a quantum computer, whereas best ex¬ 
isting classical algorithms take super-polynonrial time. Below we briefly describe 
the main contributions. 

• Feasibility of secure computation against quantum attacks. We show 
that secure computation is still feasible in the presence of quantum attacks. 
Specifically, we show a large family of classical protocols in [CLOS02] can 
be made secure against quantum attackers. We then design a classical pro¬ 
tocol for an important building block: zero-knowledge argument of knowl¬ 
edge (ZkAoK). Our ZKAoK protocol has a nice property (i.e. fully sinrulat- 
able) that allows us to compose it with the quantum-augmented protocols 
in [CLOS02], As a result, we obtain classical protocols that are secure against 
quantum attacks for computing any poly-time function. In addition, we also 
propose a general secure model capturing quantum adversarial behaviors, 
and compare it with existing security models in a unihed framework. This 
part is based on joint work with Hallgren and Smith [HSS11]. 

• Another separation between quantum and classical protocols. We 

identify a primitive, called 2-bit cut-&-choose (2CC), based on which we 
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can realize secure computation against unbounded quantum attackers. This 
demonstrates a separation between the power of classical and quantum proto¬ 
cols, since in presence of unbounded attackers, there exist tasks (for example 
commitment) that are provably impossible to realize by any classical protocol 
given 2CC. In addition to its theoretical appeal, such separation is (maybe 
more) meaningful from a practical perspective as well, since it provides dif¬ 
ferent routes to realize secure computation, which do not necessarily exist 
classically. Our key construction is a quantum protocol that realizes oblivi¬ 
ous transfer (OT) unconditionally using ideal access to 2CC. New techniques 
are developed to prove the security of this protocol, which could be of in¬ 
dependent interest. This part is based on joint work with Fehr, Katz, Zhou 
and Zikas [FKS + 13]. 

• Characterization of Secure Computation Tasks. As an application of 

the above results we obtain, we are able to give an almost thorough cate¬ 
gorization of the class of finite, deterministic, two-party tasks in a quantum 
universal-composablc security model under cryptographic reductions. We 
say that a task A reduces to another one B, if there is protocol that realizes 
B using A as a trusted setup. Very roughly speaking, in the quantum com¬ 
putational setting, every task in this class is either feasible (i.e., it reduces 
to any other task) or complete (i.e., all tasks reduce to it). This is analogous 
to the classical case [MPR10]. Whereas in the quantum statistical setting, 
every task belongs into one of three mutually exclusive subclasses, in contrast 
with the (more complicated) classical picture [MPR09, KMQ11], This part 
is adapted from our work [FKS + 13]. 

• Reducing Unit-Finding to a Flidden Subgroup Problem. We show 
that finding the unit group of a number field of arbitrary degree can be 
reduced to a (generalized) HSP instance over [R m . A key technical tool we 
developed is a quantum encoding scheme to represent lattices in a real space 
into quantum states, which we call a double-Gaussian encoding. It has the 
nice property that small perturbation in the lattice results in little change 
in its quantum encoding, whereas two substantially different lattices will be 
mapped to almost orthogonal states. As a result, the HSP instance we get 
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generalizes the usual formalism. We have a quantum oracle function, instead 
of a classical one, and the HSP property is only approximate, as opposed 
to being exact. This is based on joint work with Eisentrager, Hallgren and 
Kitaev [EHKS13], 

Road-map. The remaining chapters are organized as follows. 

Chapter 2 Preliminaries. Sect. 2.1 introduces notations and basic definitions 
that are essential to the thesis. A central one is the model of quantum interactive 
machines. Sect. 2.2 reviews and also proposes new notions for (in)distinguishability 
of quantum states and quantum machines. A partial list of important crypto¬ 
graphic tasks/fnnctionalities is given in Sect. 2.3. 

Chapter 3 Modeling Security in Presence of Quantum Attacks. Sect. 3.1 dis¬ 
cusses our general quantum stand-alone security model. Specifically, Sect. 3.1.1 
describes the details of the model; a modular composition theorem in onr model 
is shown in Sect. 3.1.2 and 3.1.3 . Then in Sect. 3.2 we propose a unified frame¬ 
work to study variants of onr model and other quantum stand-alone models in the 
literature. We briefly review the quantum universal-composable security model in 
Sect. 3.3. 

Chapter 4 Secure Computation against Quantum Attacks: Computational Set¬ 
ting. Sect. 4.1 shows a quantum version of Canetti et al. [CLOS02] that built upon 
J-'zk, UC secure computation is feasible against poly-time quantum adversaries. 
We formulate a simple hybrid argument framework to capture a family of classical 
proof strategies that remain valid against quantum adversaries, and then apply 
it to [CLOS02] to show the prior result. Sect. 4.2 gives our zero-knowledge argu¬ 
ment of knowledge protocol that is secure in our quantum stand-alone model. The 
general feasibility result in stand-alone model, a quantum version of [GMW87], is 
presented in Sect. 4.3. 

Chapter 5 Secure Computation against Quantum Attacks: Statistical Setting. 
Sect. 5.1 recaps the results in the literature that and J-'com are sufficient setup 
assumptions to realize statistically secure computation. Sect. 5.2 gives the con¬ 
struction of a quantum OT protocol from J~ 2 cc and its proof. A key lemma in 
the proof is shown separately in Sect. 5.3 via the the techniques developed in an 
adaptive quantum sampling framework. 



Chapter 6 Application: Characterizing Cryptographic Tasks in QUC Model. 
Sect. 6.1 reviews cryptographic reductions and states our main results concerning 
characterization in the quantum setting. Sect. 6.2 describes the conditions that 
a classically complete task can be lifted to quantum complete. The interesting 
part of the proof, shown in Sect 6.2.2, identifies a few more computationally UC 
complete tasks in the quantum setting. Sect. 6.3 shows the equivalence between 
classical and quantum feasibility, and establishes a quantum analogue of Canetti 
and Fischlin [CF01] in Sect. 6.3.1. Sect. 6.4 depicts the landscape for finite, deter¬ 
ministic tasks in the quantum UC model under cryptographic reductions, where 
Sect. 6.4.1 shows the computational zero-one law and Sect. 6.4.2 shows three mu¬ 
tually exclusive classes in the statistical setting. 

Chapter 7 A Reduction From Finding Units in a Number Field to a Hidden 
Subgroup Problem. Sect. 7.1 introduces the unit-finding problem and gives the gen¬ 
eralized definitions of hidden subgroup problems. In Sect. 7.2 we give an overview 
of our reduction and the key ideas in proving its correctness. Sect. 7.3 contains 
more details about the reduction, focusing on a new encoding scheme that encodes 
lattices into quantum states. 



Preliminaries 


2.1 Notations and Basic Definitions 

For m G N, [m] denotes the set {1,... pm}. We use n € N to denote a security 
parameter. The security parameter, represented in unary, is an implicit input to all 
cryptographic algorithms; we omit it when it is clear from the context. Quantities 
derived from protocols or algorithms (probabilities, running times, etc) should be 
thought of as functions of n, unless otherwise specified. A function f(n) is said 
to be negligible if / = o(n~ c ) for any constant c, and negl(n) is used to denote 
an unspecified function that is negligible in n. We also use poly(n) to denote an 
unspecified function f(n) = 0(n c ) for some constant c. When D is a probability 
distribution, the notation x <— D indicates that £ is a sample drawn according to 
D. When D is a finite set, we implicitly associate with it the uniform distribution 
over the set. If D(-) is a probabilistic algorithm, D(y ) denotes the distribution 
over the output of D corresponding to input y. We will sometimes use the same 
symbol for a random variable and for its probability distribution when the meaning 
is clear from the context. Let X = {AAjneN and Y = be two ensembles 

of binary random variables. We call X, Y indistinguishable , denoted X « Y, if 
|Pr(X n = 1) - Pr(Y„ = 1)| < negl(n). 

We assume the reader is familiar with the basic concepts of quantum infor¬ 
mation theory (see, e.g., [NCOO]). We use a capital letter (e.g. X ) to denote a 
quantum register and for each n, X(n) denotes the corresponding Hilbert space. 
In particular, 1-L n denotes the space for n qubits. Let D(X) be the set of density 
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operators acting on space X and L(X, Y) be the set of linear operators from space 
X to Y. 

Quantum Machine Model. We adapt Unruh’s machine model in [UnrlO] with 
minor changes. A quantum interactive machine (QIM) M is an ensemble of inter¬ 
active circuits {M n } ne ^. For each value n of the security parameter, M n consists 
of a sequence of circuits {Mn' > }i=i y .../( n )-, where defines the operation of M in 
one round i and £(n) is the number of rounds for which M n operates (we assume 
for simplicity that £(n) depends only on n) . We omit the scripts when they are 
clear from the context or are not essential for the discussion. M (or rather each 
of the circuits that it comprises) operates on three registers: a state register S 
used for input and workspace; an output register 0; and a network register N for 
communicating with other machines. The size (or running time) t(n) of M n is the 
sum of the sizes of the circuits Mn\ 

Definition 2.1.1. We say a QIM is polynomial time if it has size t(n ) = polyfn ) 
and there is a deterministic classical Turing machine that computes the description 
of in polynomial time on input (l n , 1*). 

When two QIMs M and M’ interact, their network register N is shared. The 
circuits and are executed alternately for i = 1, 2,..., £(n). When three 
or more machines interact, the machines may share different parts of their network 
registers. For example, a private channel consists of a register shared between only 
two machines and a broadcast channel is a register shared by all machines. The 
order in which machines are activated may be either specified in advance (as in a 
synchronous network) or adversarially controlled. 

A non-interactive quantum machine (referred to as QTM hereafter) is a QIM 
M with no network register that runs for only one round (for all n). This is equiv¬ 
alent to the quantum Turing machine model (see [Yao93]). A classical interactive 
machine is a special case of a QIM, where the registers only store classical strings 
and all circuits are classical. 
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2.2 Distinguishing Quantum States and Quan¬ 
tum Machines 

Indistinguishability of Quantum States Let p = {p n }™eiN and T) = {r/nlneN 
be ensembles of mixed states indexed by n G N, where p n and r/ n are both states on 
r(n) qubits for some polynomially bounded function r. We first define a somewhat 
weak notion of indistinguishability of quantum state ensembles. 

Definition 2.2.1 ((£, e)-weakly computationally indistinguishable states). We say 
two quantum state ensembles p = {/> n }neiM an d V — {//nine in are (t,e)-weakly 
computationally indistinguishable, denoted p ~^ c rp if for every t(n)-time QTM 
Z, 

|Pr [Z(p n ) = 1] - Pr[Z(rj n ) = 1]| < e(n). 

The states p and rj are called weakly computationally indistinguishable , denoted 
P ~wqc V, if for every polynomial t(n), there exists a negligible e{n) such that p n 
and rj n are (t, c)-weakly computationally indistinguishable. 

A stronger notion of indistinguishability of quantum states was proposed by 
Watrous [Wat09, Definition 2]. The crucial distinction is that a distinguisher is 
allowed to take quantum advice. 

Definition 2.2.2 ((t, ^-computationally indistinguishable states). We say two 
quantum state ensembles p = {pnjnetN and q = {r/ n } ne iM are (t,e)-computationally 
indistinguishable, denoted p r\, if for every t(n)-time QTM Z and every mixed 
state a n on r(n) qubits, 

|Pr [Z(p n ® a n ) = 1] - Pr[Z(p n ® a n ) = 1]| < e(n). 

The states p and rj are called quantum computationally indistinguishable, de¬ 
noted p ~ gc rj, if for every polynomial t(n), there exists a negligible e(n) such that 
p n and rj n are (t, £)-indistinguishable. 

The two definitions above subsume classical distributions as a special case, since 
classical distributions can be represented by density matrices that are diagonal with 
respect to the standard basis. 
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Indistinguishability of quantum machines. Now we introduce the notion of 
distinguishing two QTMs. 

Definition 2.2.3 ((£, e)-weakly computationally indistinguishable QTMs). Let Mi 
and M 2 be two QTMs with state space S and output space 0. We say Mi and M 2 
are (t, e)-weakly computationally indistinguishable, denoted Mi M 2 , if for 

any t(n)-time QTM Z and any a n G S (n) 7 

|Pr [Z((Mi(a n )) = 1] - Pr [Z(M 2 {a n )) = 1]| < e(n). 

Mi and M 2 are called weakly computationally indistinguishable, denoted Mi ~ wqc 
M 2 , if for every polynomial t(n), there exists a negligible e(n) such that Mi and 
M 2 are (t, e)-weakly indistinguishable. 

Again, a stronger notion, which we state below, allows a distinguisher keeping 
a reference system. This definition is actually rephrasing Watrous’s notion of 
quantum computationally indistinguishable super-operators [Wat 09, Definition 6] 
for quantum machines, noting that every QTM can be represented by a super¬ 
operator. 

Definition 2.2.4 ((£,^-computationally indistinguishable QTMs). We say two 
QTMs Mi and M 2 are (t, ^-computationally indistinguishable, denoted Mi 
M 2 , if for any t(n)-time QTM Z and any mixed state a n G S (n) Z R(n), where R 
is a reference system with same dimension as S for each n, 

|Pr[Z((Mi ® 1 R )<7 n ) = 1] - Pr [Z((M 2 ® 1 R )a n ) = 1]| < e{n ). 

Mi and M 2 are called quantum computationally indistinguishable, denoted 
Mi pa qc M 2 , if for every polynomial t(n), there exists a negligible e(n) such that 
Mi and M 2 are (t,e)-computationally indistinguishable. 

For completeness, we include information-theoretical analogue of Def. 2.2.3 
and 2.2.4. First recall the trace distance between two quantum states p and cr: 
D(p, a) := \\\p — cr||i, where || • ||i is the trace norm defined by ||A||i = Tr(V AM) 
for any linear operator A. 
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Definition 2.2.5 (^-indistinguishable QTMs in trace norm). We say two QTMs 
Mi and M 2 are ^-indistinguishable in trace norm, denoted M\ m £ tr Ad 2 , if for any 
o n G S (n) 

D[Mi(o n ), M 2 (cr n )] < e(n). 

Mi and M 2 are said to be indistinguishable in trace norm, denoted Mi m tr M 2 , 
if there is a negligible e(n) such that M x and M 2 are e-indistinguishable in trace 
norm. 

Definition 2.2.6 (^-indistinguishable QTMs in diamond norm). We say two 
QTMs Mi and M 2 are e- indistinguishable in diamond norm, denoted Mi ^ M 2t 
if for any o n G S (n) 8> R(n), where R is a reference system with same dimension 
as S for each n, 

D[(Mi 8> l R )cr n , (M 2 8) 1r)o„] < e(n). 

Mi and M 2 are said to be indistinguishable in diamond norm, denoted Adi 
M 2 , if there exists a negligible e(n) such that Mi and M 2 are e-indistinguishable 
in diamond norm. 

Indistinguishability of QIMs Next we define indistinguishability of quantum 
interactive machines. Let Z , Ad be two QIMs, we denote (Z, M)(cr) as the process 
that Z and M collectively are given input state cr. They then interact, and Z 
outputs one classical bit 1 or 0 in the end. 

Definition 2.2.7 ((t, ^-indistinguishable QIMs). We say two QIMs Mi and M 2 
are (t, ^-interactively indistinguishable, denoted Mi Ad 2 , if for any quantum 
t(n)-time interactive machine Z and every mixed state o n on t(n) qubits, 

|Pr[( Z,Mi){o n ) = 1] - Pr [(Z,Ad 2 )(o n ) = 1]| < e(n). 

QIMs Mi and M 2 are called computationally interactively indistinguishable, de¬ 
noted Mi tt qc i M 2 , if for every polynomial t(n ) , there exists a negligible e(n) such 
that Mi and Ad 2 are (t,e)-interactively indistinguishable. 

We can also define statistically interactively indistinguishable, denoted by 

allowing unbounded interactive distinguishers Z. 
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2.3 A (partial) List of Cryptographic Function¬ 
alities 

We now introduce a few important two-party cryptographic tasks (a.k.a. function¬ 
alities) that are important in later discussions. They are specified by an ideal-world 
protocol (see Sect. 3.1.1 for its exact meaning) between two (dummy) players with 
access to a trusted party that implements the task. In the end we define the class 
of deterministic finite functionalities, which will be the object we give systematic 
categorization in Chapter 6. 

Oblivious transfer J r QT . There are many equivalent variants of oblivious trans¬ 
fer 1 . In this paper we use the standard l-out-of-2 oblivious bit transfer. Intuitively, 
it allows a receiver to get one of two bits held by the sender, but he should not 
learn the other one and the sender should not know what the receiver’s choice is. 

Functionality J-j DT 

The functionality is parameterized by players Alice and Bob. 

• Upon receiving input (xoWi) G {0,1} x {0,1} from Alice, and input 
b G {0,1} from Bob, return output Xb to Bob, and send Alice an 
acknowledgment message “ACK" to inform Alice that one bit has 
been delivered to Bob. 


Commitment J-qom- -Tcom is a functionality including two stages, the committing 
stage and then an opening stage. 

Where is an interesting story about the invention of OT. Arguably, Wiesner was the first to 
propose (in disguised form) l-out-of-2 OT in his notion of “quantum multiplexing” channel, which 
would allow one party to send two messages to messages to another in a way that the receiver 
can choose which message to process and the other one will be destroyed automatically. Michael 
Rabin independently introduced his original concept about ten years later [?], which is more 
widely recognized by the theoretical computer science community and found great significance is 
cryptography. See [?] for a vivid story. 
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Functionality .Fcom 

The functionality is parameterized by sender Alice and receiver Bob. 

• Upon receiving input (“commit 1 ', b ) from Alice, where b G {0,1}, 
internally record such b and send Bob an acknowledgment message 
“ACK 1 " informing him a commitment message has been recorded. 

• Upon receiving input “open 11 from Alice, if a bit b has been internally 
recorded, send (“open 11 , b) to Bob. 

Intuitively, the commitment stage is hiding, so that the receiver doesn’t learn b, 
whereas the opening stage is binding in that the sender cannot change his mind 
and open to a different bit. 

XOR -Uxor- Alice and Bob input bits b A and b B , respectively. They both receive 
the output y = b A ® b B . Basically, it ensures input independence. Namely, Alice 
(resp. Bob) cannot choose his bit dependent on Bob’s (resp. Alice’s). 

Functionality J-xor 

The functionality is parameterized by players Alice and Bob. 

• Upon receiving input b A G {0,1} from Alice, and input b B G {0,1} 
from Bob, compute y = b A ® b B and return output y to both Alice 
and Bob. 


Cut-and-Choose. First we define 1-bit Cut-and-Choose functionality J-'cc- Ba¬ 
sically Alice chooses whether to see Bob’s input bit, and Bob must pre-determine 
his bit. It will be useful in interactive random sampling as we shown in Sect 5.2. 

Functionality T cc 

The functionality is parameterized by players Alice and Bob. 

• Upon receiving input sa € {0,1} from Alice, and input b G {0,1} 
from Bob; return output s A to Bob and output b ■ s A to Alice. 


Similarly, we can define 2-bit Cut-and-Choose functionality T 2 cc as follows: 
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Functionality J-^cc 

The functionality is parameterized by players Alice and Bob. 

• Upon receiving input sa G {0,1} from Alice, and input (6 0 ,6i) £ 
{0.1} x {0,1} from Bob; return sa to Bob and output (6 0 , b \) • sa to 
Alice. 

Coin Tossing J 7 C f- Here a uniformly random string is generated and handed to 
both players, which can be used as a global resource. 

Functionality .F cf 

The functionality is parameterized by players Alice and Bob. 

• Upon receiving input “request’’ from both Alice and Bob, randomly 
choose a fair coin r G {0,1} and send r to both Alice and Bob. 


Simultaneous exchange channel. This is a secure and fair bidirectional binary 
channel, i.e., Alice and Bob can send each other bits which are delivered in a fair- 
manner, i.e., any of the parties receives the the other party’s bit only after inputting 
his/her own bit into the channel. 

Functionality T/xch 

The functionality is parameterized by Alice and Bob. 

• Upon receiving input 6 a G {0,1} from Alice, and input bs G {0,1} 
from Bob, return outputs jja = 6_b to Alice and ys = 6a to Bob. 


Secure Function Evaluation, J-sfe- All above except X C m are captured by a 
more abstract functionality, secure function evaluation (SFE) Tafe- It is specified 
by a pair of functions (/a, Jb) over a input domain X x Y. 

Functionality .F sfe 

The functionality interacts with players Alice and Bob, and is parameter¬ 
ized by functions (/a, Jb) over input domain X x Y. 

• Upon receiving input x G X from Alice and input y G Y from Bob, 
return /a(x, y) to Alice and fs(x,y ) to Bob. 
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Definition 2.3.1 (Deterministic Finite SFE). Let F := {/ K } K eN be a two-party 
SFE functionality: f K : D K x D' K —>■ R K x n G N, where D K , £>(., and Rf are 
all subsets in {0,1} K . PFe call T finite deterministic if for all except finite number 
of k G N, t/iere exist polynomials p(-) and q(-) such that 

1. \D k \ + \D' k \ < p(k); 

2. f K is computable on a deterministic Turing machine in time at most q(n). 

A reactive functionality T can be described as a sequence of SFEs T v o T 2 ° 
• • • o T m which might share a joint state.We call J~ deterministic finite reactive, if 
each of these Tf s is deterministic and finite. 

Definition 2.3.2 (Deterministic Finite Two-Party Functionalities). The collection 
of finite deterministic two-party functionalities is defined to be 

U := {R : IF is a deterministic finite SFE or reactive functionality } . 



Modeling Security in Presence of 
Quantum Attacks 


In this chapter, we propose a general security model that captures quantum adver¬ 
saries in the stand-alone setting. We also prove a modular composition theorem 
in our model, which allows us to use secure protocols as ideal building blocks to 
construct larger protocols. We then investigate, in Section 3.2, variants of our 
model under a unified framework, and give a comprehensive discussion on possible 
equivalence or separations between those variants. These materials are based on 
our work in [HSS11]. To be self-contained, we review in Section 3.3 the quantum 
universal-composable (UC) security model, which is an extension of classical UC 
model in a quantum adversarial network setting. A few useful facts in the quantum 
UC model are also included there. 


3.1 A General Quantum Stand-Alone Security 
Model 

Our model follows the real-world/ideal-world simulation paradigm. It proceeds 
in three high-level steps: i) formalizing the process of executing a protocol in 
the presence of adversarial activities; ii) formalizing an ideal-world protocol for 
realizing the desired task; and iii) finally defining formally what secure emulation 
of a protocol means. Consequently, we say a (real-world) protocol realizes a task 
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securely if it faithfully emulates the ideal-world protocol for that task. Here we 
give a brief overview of the model, and the detailed description can be found in 
Section 3.1.1 

Let T be a specification of a two-party cryptographic task. A protocol n = 
(. A , B) for T consists of two interactive machines A and B, which take turns to 
perform local computation and exchange messages. Honest players run the ma¬ 
chines of ( A, B ). However, a dishonest party, call it an adversary A, can run an 
arbitrary machine that deviates from the protocol. By doing so, A aims to learning 
more about the other player’s secret information. To capture what “secrete” infor¬ 
mation we want to protect against a dishonest player, we consider an ideal-world 
protocol for T. In this protocol, we assume there is a trusted party available, so 
that two players can send their inputs to the trusted party, who then executes the 
specification of T and returns the outputs to two players. The communications 
between an individual player and the trusted party are all secure. Intuitively, an 
adversary attacking the ideal-world protocol is limited to inferring from the output 
of some carefully chosen input. Then we say a protocol ( A,B ), call it a real-world 
protocol in contrast, securely realizes (or emulates) the task T if for any A in 
the real protocol, there is another adversary S in the ideal-world protocol, so that 
the executions of the two protocols have no noticeable distinction. Namely, the 
induced distributions (or quantum states) in running the two protocols with A and 
S respectively are indistinguishable. Since an ideal-world adversary has very lim¬ 
ited advantage, we can conclude that A essentially learns little extra information 
in the real protocol as well. 

More formally, using our notion of quantum machines, we define Mny to be 
composed machine of the real-world protocol n and adversary A. Likewise, Mj-.^ 
denotes the composed machine of the ideal world protocol for T and adversary 
S. Then we say n quantum stand-alone realizes/emulates J 7 , if Muy and 
are indistinguishable. Proving security of a protocol then amounts to constructing 
an ideal-world adversary S (often called a simulator) for an arbitrary real-world 
adversary A, and then showing the two induced machines Mny and are 

indistinguishable. 

Our model can be viewed as a quantum analogue of the classical stand-alone 
model by Canetti [CanOO]. Prior to our work, security definition in presence of 
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quantum attacks is of ad hoc flavor 1 and the only systematical treatments ap¬ 
pear in [FS09, DFL + 09]. Our model generalizes the existing model of Damgard 
et al. [DFL + 09] in two ways. First, our model allows for protocols in which the 
functionalities can process quantum information (rather than only classical func¬ 
tionalities). Second, it allows for adversaries that take arbitrary quantum advice, 
and for arbitrary entanglement between honest and malicious players’ inputs. This 
distinction is reflected in the composability that the model can provide (see details 
in Section 3.1.2). While the composition results of Damgard et al .allow only for 
classical high-level protocols, our result holds for arbitrary quantum protocols. 

3.1.1 The Model 

Now we turn to a thorough description of our stand-alone security model. We first 
introduce the objects we need in our model. We restrict our focus on two-party 
cryptographic tasks, and it is straightforward to extend it to multi-party setting. 

• Functionality. We have so far used the vague term “task”. Now we formalize 
a cryptographic task of interest by an interactive machine that contains the 
specifications and instructions to realize the task. We call it an functionality 2 , 
usually denoted F or Q. Intuitively one can envision it as a trusted party 
that can be queried as a subroutine (i.e. an oracle) to carry out the desired 
task. Note that F can be both classical (i.e., consists of classical circuits) and 
quantum (i.e., consists of classical circuits), though the main focus of this 
work is classical functionalities. We are interested in efficiently computable 
functionalities. Therefore, the machine is probabilistic polynomial time for a 
classical F and quantum poly-time as per Definition 2.1.1 for a quantum F. 

• Protocol. A two-party protocol consists of a pair of interactive machines 
(A, B ) that is meant to realize a functionality. We typically use Greek letters, 

1 Quote from [FS09]: ”It is still common practice in quantum cryptography that every paper 
proposes its own security denition of a certain task and proves security with respect to the pro¬ 
posed definition. However, it usually remains unclear whether these definitions are strong enough 
to guarantee any kind of composability, and thus whether protocols that meet the definition really 
behave as expected.” 

2 It is conventionally named “ideal functionality”. However, we think it is preferable to desig¬ 
nate “ideal” to the ideal-world protocol (defined later) that realizes the functionality. 
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e.g., II, to denote (quantum) protocols. If we want to emphasize that the 
protocol is purely classical, i.e., only classical information is exchanged and 
processed, we then use lower-case letters, e.g., 7r = (A, B) in which (A, B) 
are understood as classical ITMs. We call a protocol poly-time if ( A , B) are 
both poly-time machines. 

• Adversary. An adversary, usually denoted A or S, is a party that intends 
to attack a protocol. Since we want to capture attackers with quantum 
computing ability, we model an adversary by a QIM. 

Protocol Execution. An execution of a protocol II = (A, B ) in the presence of 
an adversary A consists of a sequence of interactions between A and parties in II. 
At any time, only one party is active. Here we abuse notation, and denote both 
the machine and the actual party who runs the machine by the same character. 
Specifically, on input a secure parameter l n and an arbitrary quantum state a n , 
the operations of each party are: 

• Adversary A: it may either deliver a message to some party or corrupt 
a party. Delivering a message is simply instructing the designated party 
(i.e., the receiver) to read the proper segment of his network register. We 
assume all registers are authenticated so that A can not modify them and 
in particular if the register is private to the party, A may not read the 
content. Other that that, A can for example schedule the message to be 
delivered in any arbitrary way. If A corrupts a party, the party passes all 
of its internal state to A and follows the instructions of A. In the two- 
party setting, corrupting a party can be simply thought of as substituting 
the machine of A for the machine of the corrupted party. 

• Parties in n: once a party receives a message from A, it gets activated and 
follows the program of its machine. At the end of one round, some message 
is generated on the network register, and A is activated again and controls 
message delivery. At some round, it generates some output and terminates. 

Abstractly, we view n and A as a whole and model the composed system as 
another QIM, call it Mn^. Then an execution is just running Mn^ on an input 
instance, without external interactions. 
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Protocol Emulation. Here we formalize the secure emulation of protocols. Let 
n and T be two protocols. Let Mn^ be the combined machine of n and an 
adversary A, and Mr.s be that of Y and some other adversary S. Informally, n 
emulates Y if the two machines Mn,^ and Mr ,s are indistinguishable. 

Definition 3.1.1 (Quantum Computationally Stand-Alone Emulation). Let n and 
T be two poly-time protocols. We say n quantum computationally stand-alone (Q- 
CSA) emulates V if for any poly-time QIM A there exists an poly-time QIM S 
such that Mu ,_4 ~ wqc M r , 5 . 

Alternatively we can state the same definition using the language that is more 
familiar to the cryptography community as below. We introduce another party Z , 
called an environment 3 , which takes the output state of an protocol execution and 
generates one bit as output. We denote 


EXECn.A-z := {Z(M UA (r, a n ))} neN,o- n en(H„) 

as the binary output distribution ensemble when Z runs on the output state of an 
execution of n and A with input (l n , a n ). 

Definition 3.1.2 (Q-SCA Emulation: Alternative Formulation), n quantum com¬ 
putationally stand-alone (Q-CSA) emulates V if for any poly-time adversary A 
there exists a poly-time adversary S such that for any poly-time environment Z: 
EXEC u ,a,z « EXEC r ,5,2 . 

If we allow computationally unbounded adversaries and environments, we get 
statistical emulation. 

Definition 3.1.3 (Quantum Statistically Stand-Alone Emulation). Let n and Y 
be two poly-time protocols. We say n quantum statistical stand-alone (Q-SSA) 
emulates Y if for any QIM A there exists an QIM S that runs in poly-time of that 
of A, such that Mnq « tr Mr, 5 . 

Remark, i) We require the complexity of S polynomial-related to that of A. The 
main reason is to ensure statistical emulation implies computational emulation 

3 Z functions as a (non-interactive) distinguisher, but we use the term environment to match 
the object in the UC model discussed in later section. 
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when the parties become poly-time. For more motivation and technical discussions, 
we refer to [CanOl]. ii) Equivalently, as before, we can state the condition as .. 
if for any QIM A there exists an QIM S that runs in poly-time of that of A, such 
that for any QIM Z: EXECn,^,^ ~ EXECr,^,^”. We can as well define perfect 
emulation if we require EXECn,^,^ = EXECr,.s,^. 

Ideal-world Protocol. We formalized protocol emulation in a general form 
which applies to any two protocols. But it is of particular interest to emulate a 
special type of protocol which captures the security guarantees we want to achieve. 
We formalize the so-called ideal-world protocol II jf for an ideal functionality IF. In 
this protocol, two (dummy) parties A and B have access to an additional “trusted” 
party that implements IF. We may abuse notation and call the trusted party T 
also. Basically A and B call IF with inputs, and then IF runs on the inputs and 
sends back respective outputs to A and B. An execution of II with an adversary 
S and an environment Z is similar to our prior description, except that IF cannot 
be corrupted. Likewise, we denote the combined machine of IF and II jr as M^. 

Now that we have the notions of secure protocol emulation and an ideal-world 
protocol ready, we give our formal quantum stand-alone security definition. We 
state the definition in the computational setting, statistical and perfect emulations 
of ideal functionalities can be defined analogously. 

Definition 3.1.4 (Q-CSA Emulation of an Ideal Functionality). Let IF be a poly¬ 
time two-party functionality and U be a poly-time two-party protocol. We say 
II quantum computationally stand-alone emulates IF, if LI Q-CSA emulates II j r. 
Namely, for any poly-time A, there is a poly-time S such that Mn^ ~ wq , c M^. 

Similarly, if we denote by IDEAL tZ the output distribution ensemble of Z 
in an execution. Then we can state the condition in the definition as “... for any 
poly-time A, there is a poly-time S, such that for any poly-time Z: EXECn ,^2 = 

IDEAL^ .”. 

Typically, we need to speak of security against a specific class of adversaries. 
So far we have distinguished two classes of adversaries according to their compu¬ 
tational complexity, i.e., poly-time vs. unbounded time. We may also distinguish 
the adversaries according to how they corrupt the parties and how they deviate the 
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honest behavior defined by the protocol. The standard two types of corruptions 
considered in the literature are static vs. adaptive corruptions. In static corrup¬ 
tion, the corrupted party is determined before protocol starts and stays the same 
until completion. In contrast, adaptive corruption allows an adversary to change 
the party to corrupt adaptively during the execution. In terms of what dishonest 
behaviors is allowed for an adversary, again two classes are considered standard 
in the literature: semi-honest (a.k.a. passive or honest-but-curious) and malicious 
(a.k.a. active). A semi-honest adversary, after corrupting a party, still follows the 
party’s circuit, except that in the end it processes the output and the state of the 
party before handing to Z. A malicious adversary, however, can substitute any 
circuits for the corrupted party. In the definitions of the protocol emulation, the 
two adversaries in the real-world and ideal-world must belong to the same class. 
For example, if A is semi-honest, S must also be semi-honest. 

These notions of different classes of adversaries naturally extend to quantum 
adversaries, except for one subtlety in defining semi-honest quantum adversaries. 
There are two possible definitions. One definition 4 allows A to run the circuit of the 
corrupted party, which is specified by the protocol, coherently. Namely A can pu¬ 
rify the circuit of corrupted party so that all operations are unitary. For example, 
instead of measuring a quantum state, the register is “copied” by a CNOT opera¬ 
tion to an ancillary register. Another definition forces the adversary to faithfully 
follow the corrupted party’s circuit during the protocol execution. In particular 
any quantum measurement occurs instantaneously. In other words, a semi-honest 
quantum adversary A only corrupts a party in the end of the protocol execu¬ 
tion, and then processes the internal state and transcript that the corrupted party 
holds. However, A can use a quantum computer in post-processing, as opposed 
to classical computers as a classical semi-honest adversary uses. This definition is 
weaker than the first one in the sense that adversary has more restricted way to 
use quantum computation. In this thesis, we use the weaker notion of semi-honest 
quantum adversaries. 

To complete the discussion on defining our stand-alone security model, a few 
important remarks are in order: i) The adversary S is usually called a simulator 
because the typical constructions of S simulate the given A internally. ii) If 

4 We may refer to it as the Lo-Chau-Mayers semi-honest model [LC97, May97]. 
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there is a protocol that emulates a functionality T according to our dehnition(s), 
we often say T can be realized, iii) We may say “Quantum Stand-alone (QSA) 
emulation” and call our model “QSA model” without specifying the exact setting 
( computational, statistical, perfect), when it is clear from context, or the statement 
applies to all settings. 

3.1.2 Modular Composition Theorem 

It is common practice in the design of large protocols that a given task is divided 
into several subtasks. We first realize each subtask, and then use these modules as 
building blocks (subroutines) to realize the initial task. We thus define a compo¬ 
sition operation and show a modular composition theorem to formalize this idea. 
As we did in protocol emulation, we begin our treatment with general protocols, 
and the case of ideal-world protocols follows as a special case. 

Composition Operation Let II be a protocol that uses another protocol T 
as a subroutine, and let T' be a protocol that QSA emulates T. We define the 
composed protocol, denoted II 1 / r ', to be the protocol in which each invocation of 
T is replaced by an invocation of IA We allow multiple calls to a subroutine and 
also using multiple subroutines in a protocol II. However, we strict that at any 
point, only one subroutine call be called. This makes it distinct from the more 
general network setting, where many instances and subroutines may be executed 
concurrently. This explains why we call our model a stand-alone model. 

We can show that our QSA model admits a modular composition theorem. 

Theorem 3.1.5 (Modular Composition: General Statement). Let n, T and T' be 
two-party protocols such that T QSA-emulates T', then n 1 A' QSA emulates n. 

Before proving the theorem, we discuss an important type of protocols, and 
the composition theorem is especially useful there. 

Protocols in a Hybrid Model. As indicated in the beginning, when we design 
a protocol modularly, we may want to assume we have certain building blocks 
already at hand. Formally, we define a hybrid model, in which the parties can 
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make calls to an ideal-world protocol Tig of some functionality Q 5 . We call such a 
protocol a Q-hybrid protocol, and denote it Tl s . The execution of a hybrid-protocol 
in presence of an adversary M proceeds in the usual way. 

Now assume that we have a protocol T that realizes Q and we have designed 
a ^-hybrid protocol IP realizing another functionality T. Then the composition 
theorem in this special setting, loosely speaking, allow us to treat sub-protocols as 
equivalent to their ideal versions when analyzing security of a high-level protocol. 
For instance, one can treat a coin-ipping protocol as a trusted party who hands all 
participants a uniformly random string. 

Corollary 3.1.6 (Modular Composition: Realizing Functionalities). Let T and Q 
be poly-time functionalities. Let IT' be a Q-hybrid protocol that QSA-emulates TF. 
and T be a protocol that QSA-emulates Q, then Tl-A QSA-emulates F. 

3.1.3 Proof of Modular Composition Theorem 

Proof of Theorem 3.1.5. For the ease of notation we let TT := I\ l A' be the com¬ 
posed protocol. We show the theorem in the computational setting, and proofs 
for the statistical and perfect settings are analogous. Specifically, we need to show 
that 

VM VS : Mn ',.4 ~wqc Mn ; s 

Without loss of generality, we assume that fl only calls T once. The proof will 
essentially proceed in three steps: 

1. From any adversary A attacking fl, we construct another adversary Mr at¬ 
tacking T. Notice that T is a a subroutine in fl. Basically Mr consists of the 
segment of of the program (circuits) of M during the subroutine call of T. 

2. By the assumption that T Q-CSA emulates T', we know that VMrdM' : 
M r ^ r ~«, gc Mr/'. This gives us an adversary Mb 

3. Finally the adversary S will be constructed by “composing” the machines 
M and Mb when fl' makes the subroutine call to T', S runs M', otherwise it 

5 In contrast, we call it the plain model if no such trusted set-ups are available. 
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follows the operations of A. Then M n ',^ vqc M n ,s essentially follows from 
Mr,^ r ~u,gc Mpy/. 

Next we give the details. 

Step 1 (Constructing Ap from A). Ay represents the segment of A during 
the sub-protocol T. Ay starts with some state that supposedly represents the the 
joint state in an execution of II with A right before invocation of T. It then runs 
A till completion of T. 

Adversary Ap 

Input: adversary A; security parameter l n ; input state a n . 

1. Ay initiates T and A with input a n . It then runs A and executes T 
till completion. 

2 . Ay outputs the state on all of A’s registers. 


Step 2 (Simulating Ar by A). This step is straightforward from the assump¬ 
tion that T Q-CSA emulates C, this means hat VApzA' : M r ^ r ~ wqc Mp^/. 

Step 3 (Constructing S from Ar and A). The construction is as sketched 
above. Here we show that Mp^ r ~ wq c Mp<^. Suppose for contradiction that 
there exists a distinguisher Z and state a n 6 such that 

|Pr[Z(Mn,^(<7 n )) = 1] - Pr[2(M n ',5(ff„)) = 1]| > e(n) 

with e(n) > 1 /poly(n), we then construct a distinguisher Z' and show that there 
exists a state a' n such that on input a' n , Mp^ r and Mp/^/ becomes distinguishable 
under Z'. 

• <j' n will be the joint state of executing n in presence of A on input cr n right 
before the invocation of T. Clearly it is identical to the joint state of executing 
n' in presence of S on input cr n right before the invocation of T'. 

6 More precisely there exists a family of states {cr n } ra gN- 




• Z' runs the circuits of A after execution of the subroutine T (equivalently 
the circuits of S after execution of the subroutine D) and then runs Z. 

It is easy to see that 


Z\m VAT {a' n )) = Z(M u . A (a n )) and Z'(M r ^K)) = Z(M u ,, s (a n )) 

where “=” means identical distributions. This implies that 

|Pr[Z'(M rJr «)) = 1] - Pr[2'(Mr.j.(0) = 1]| > s(n) 

which contradicts the assumption that M r _ 4 r ~ wqc Mp^/. 

This concludes our proof for the modular composition theorem. □ 

3.2 Variants of Quantum Stand-Alone Models: 
A Unified Framework 

When defining a security model, there are lots of choices qualifying and quantify¬ 
ing the power of the adversaries to account for various security requirements. Here 
we provide an abstract stand-alone model for both classical and quantum cryp¬ 
tographic protocols, illustrated in Fig. 3.1, which contains three natural choices 
for the adversaries which we think are essential. This abstract model captures all 
existing stand-alone security models (including ours) and this allows for a unified 
and comprehensive study and comparison among these models. We believe that 
studying these models is not only of interest to the cryptography community, but 
also helps understand fundamental questions in areas like quantum information 
and quantum computational complexity theory. 

The model contains an environment Z and a protocol. Depending on whether 
the protocol is in real-world or ideal-world, we have the honest party, the (real- 
world or ideal world) adversary and possibly the trusted party. We model all parties 
as poly-times QTMs. Here we think of the environment as two separate machines: 
Z\, which we may call an input sampler, prepares inputs to the players; and Z 2 that 
receives outputs and makes the decision. Now we consider the following choices: 

(a) Does Z\ have a quantum advice aux i? 
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Figure 3.1. Abstract Security Model 


(b) Does Zi pass a state to Z 2 7 In other words, does the environment keep state 
during the execution? 

(c) Does Z 2 , which is essentially a distinguisher, take quantum advice aux 2 ? 

Notice that positive answers potentially give more power to the adversaries 
and thus provides stronger security guarantee. Also beware that all machines are 
always allowed to take classical advice. 

For the discussion the current section ??, we denote a model as Ad...,, where 
the subscripts are from {aux i, auxi, aux 2 , aux 2 , state, state} indicating each of the 
choices made for the model. For example ■M a ux 1 ,mix^,state corresponds to the model 
that Zi gets quantum advice; Z 2 takes no quantum advice and Z\ does not pass 
state to Z 2 - this is exactly our model in Def. ??. Similarly, M. aU x 1 ,aux 2 ,state is the 
model where Zi and Z 2 both take quantum advice, and there is state passing from 
Z\ to Z 2 . 

Now that we have 2 3 = 8 possible combinations, as one may expect, many of 
them collapse to the same model. To get a flavor, consider all players being classical 
circuits, then all models Ad v - collapse. This is because classical machines can only 
measure a quantum state in computational basis, and obtain a classical string from 
certain distribution. However, a classical circuit by definition can hardwire any 
classical string. Therefore quantum advice gives no extra power to a classical 
circuit and passing state also become vacuous. 

In the quantum setting where we consider quantum circuits, however, the sit¬ 
uation is more complicated. It turns out whether or not Z\ takes quantum advice 
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is a crucial choice, and we discuss each case carefully. 

3.2.1 Z\ takes quantum advice 

Surprisingly as it may appear, we can show that once Z x takes quantum advice, 
the choices for b and c will no longer matter, and we get a single model as a result. 

Proposition 3.2.1. The models where Z\ passes state to Z 2 is equivalent to the 
models without state passing. Namely 

•M- aux 1 t aux2, state = -^auxi ,aux 2 , state 0 ,nd Nl auXl >auX2 t state = ■M a uxi,aux2, state • 


We only show that AT := M auxiM ^^cAe = M := M auxi ,mm,state, as the proof 
for M 0UXI . auX2 .state = Maux 1 ,aux 2 ,state is essentially the same. The proof goes in two 
directions. 

Lemma 3.2.2. Any protocol II secure in model M. is secure in model AT. 

This claim is obvious, because Z\ s that do not pass states are a subset of those 
who do. The nontrivial part is the other direction. 

Lemma 3.2.3. Any protocol II secure in model AT is secure in model AT 

Let IT be the system that Z x passes to Z 2 . Intuitively, we could imagine that 
passing state IT directly from Z\ to Z 2 as in model AT, could be done equally 
well trough an adversary in model A i 1 . Specifically, for any adversary A in Af, 
we may construct a real-world adversary A' in model AT the receives both S_a 
and IT. It then applies A on Sj, and leaves IT alone. By security guarantee in 
AT, there is an ideal-world adversary S' that simulates A. Finally we construct 
an ideal-world adversary S, using S' in some manner. However, the difficulty is 
that S' sees IT and may depend on IT in some nontrivial way. But in model Af, 
IT is kept by Z\ and is not available to S. The strategy here is to consider a 
special class of Z\ s that always authenticate W before passing to someone else. 
This would force, in particular, that S' must be essentially the identity operator 
on IT, because authentication ensures that any tampering on IT will be otherwise 
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detected by Z 2 . This tells us that the operation of S' is independent of W, and 
thus can be simulated by S who does not have W. 

To give the formal proof of Lemma 3.2.3, we first review what quantum au¬ 
thentication is [BCG + 02], 

Definition 3.2.4. (Quantum Authentication Scheme) A quantum authentication 
scheme (QAS) is a pair of polynomial time algorithms A and B together with a 
set of classical keys 1C such that 

• Let M be a message system on m qubits. A takes M and a key k G 1C as 
input and outputs a transmitted system T of m + t qubits. 

• B takes as input the (possibly altered) transmitted system T' and a classical 
key k G 1C and outputs two systems: a m-qubit message state M, and a single 
qubit V which indicates acceptance or rejection. 

For any fixed key k, we denote the corresponding superoperators of A and B by A 
and Bk- 

Let A be the operation that samples a random key k 1C and applies A*,. B 
denotes the corresponding decoding procedure Bk . The proposition below states 
an interesting property about a secure QAS ( A , B) which is crucial in proving 
Lemma 3.2.3. Its proof and the formal definition of secure QAS will appear later. 

Proposition 3.2.5. Let (A, B) be a secure QAS. Given two superopertors £ : 
L(X) -)• L(X') and O : L(W ® X) ->■ L(W ® X'), define O' : L(X) L(X') by 
p (->• Tr W f[0 ■ tx <8> A(p ® |0)(0|h/')]- If £ ®^w ~wqc O, then £ m qc O'. 



Figure 3.2. Illustration of O and O' 


Proof of Lemma 3.2.3. Given a protocol II secure in model AA' our goal is to show 
that it is also secure in M.. Specifically, we need to argue that for any A there 
is a S such that Mu ,a ~qc Mg t s- The complete construction of S is shown below 
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(see also Fig. 3.3 where P and Q stand for perfectly and quantum computationally 
indistinguishable). 



Figure 3.3. Proof of Prop. 3.2.1 


• Given arbitrary real-world adversary A acting in model AT 

• Construct A' acting in model AT . A! receives some state on registers Sa and 
W. It hands Sa to A and outputs what A outputs. Leave W untouched. 
Then M u ,a' = Mu ,a ® Av by construction. 

• Since we assume the protocol is secure in AT, by definition, there is a S' 
such that Mu, a 1 ~wqc Mg t $'- 

• Finally construct ideal-world adversary S for A. S authenticates |0)(0|w' 

with a randomly chosen key (i.e., applying operator A as defined in Defini¬ 
tion 3.2.4). Then it runs S' on Sa and IF', outputs Oa and discards W'. Now 
we can apply Proposition 3.2.5 and conclude that Mg® 1 w Mg t $'. 

Combining the sequence of indistinguishability and/or equivalence, we obtain 
that Ms ~ gc Ma- 


Thus if II is secure in AT, it is also secure in At. 


□ 
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Lemma 3.2.2 and Lemma 3.2.3 together show Prop. 3.2.1: passing state is 
irrelevant if Z\ takes quantum advice. 

We now define formally what a secure QAS is and prove Prop. 3.2.5. Secu¬ 
rity in [BCG + 02] is only defined with respect to a closed message system. Here 
we extend their definition to capturing the entangled input case as well, i.e., the 
message being authenticated is entangled with another reference system. In addi¬ 
tion, we define an operation cE , which we call conditional-erasure. Given a state 
p G X ®Y where X is a qubit system, cE first measures X in the computational 
basis. If the outcome is 1, cE leaves Y untouched; otherwise, Y is replaced with 
state |0)(0|y. 



Figure 3.4. Soundness of QAS 


Definition 3.2.6. (Secure QAS with entangled input) A QAS (A, B) is secure 
with error e for a state \<j>) E R® Ad if it satisfies: 

• Completeness. For all keys k e 1C: Bk ® 1 r(Ai~ ® 1r(|</>)(0|)) = \4>){4>\ ® 
\ACC)(ACC\ 

• Soundness. For all superoperators O acting on M®R, define (see Figure 3.4): 

pi := cE ■ B®t R - O ■ A® 1 R (|0)(0|) 


P 2 : — Tr m' [H-M' ®cE■ B M ' ■ Am' ® (10) (01 M > ® \<t>) {<f >\)] 

where Ad' is an auxiliary system with the same dimension as Ad and is ini¬ 
tialized with |0). 
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Soundness requires that the trace distance between p\ and p 2 is at most e: 

D(pi,p 2 ) < £■ 

A QAS is e-secure if it is secure with errors for all state |0). When e is a negligible 
function in the security parameter n, we simply call the scheme a secure QAS. 

It turns out that the authentication scheme in [BCG + 02], call it B+02, still 
satisfies this stronger notion. This is shown recently in [LHM11], 

Proof of Prop. 3.2.5. Give any \if) e X ® W, let 

P = E® l w (\tp){tp\), (J = O'® l w (\ip){^\) • 

We need to show that p ~ wqc a. Towards this goal, define 

t[ := Ex ® lw ' l.Y ® A w {\il))(ip\); T\ := ±x> ® B w (r[) 
t' 2 \=0 ■ l x ® r 2 := l x > ® B w (t' 2 ) 

We then show p ~ u , gc a via a sequence of claims below. 

Claim 3.2.7. p = Try(ri) 

Proof of Claim 3.2.7. This is actually the completeness condition of QAS in dis¬ 
guise. 


T\ = lx ® B\y ■ Ex ® 1 w ■ l.Y ® -^wdV’XV’l) 

= Ex ® lw ■ lx ® B w ■ l x ® A w [\if)(pf\) (Commutativity) 
= lw ® £(|f/ ; )(f/ , |) ® |l)(l|v (Completeness of QAS) 

= P® |l)(l|v 


□ 


Claim 3.2.8. Let P acc := |l)(l|y ® lw®x> and p acc := Tr(P acc r 2 ). Then 


D(a, Try(r 2 )) < 2e(ri) + 2(1 - p acc ) , 


where the negligible function efn) is the soundness error of the QAS. 
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Proof of Claim 3.2.8. Write 

r 2 = p|l)(l|y rf cc + (1 — p)|0)(0|y ® t™ 3 
a = qa acc + (1 - q)a rej 

As one may have already expected, this claim relies heavily on the soundness 
property of secure-QAS, we make the connection precise by defining 

V '■= p|1)(1|v®t 2 “ cc +(i-p)|0)(0| y ® |0)(0|xw 

V '■= ?|l)(l|y ® cr acc + (1 — g)|0)(0|y ® |0)(0|x'®w 

Then by soundness of QAS, we have that Dfqpq') < efn) (1). This in particular 
implies that \p — q\ < e{n) and hence q > p — efn). Moreover 

D(t 2 ,ii) = (1 ~p) ■ IIT 2 rej - |0)(0|xwl|i < 1 -P (2) 

D(a, Tr v fq')) = (1 - q) ■ \\a re: > - |O)(O| X / 0V v|| 1 <l-g<l-p + e(n) (3) 
Combine (1) - (3), we conclude, by the triangle inequality, that 

D(a, Tr v (r 2 )) 

<D(t 2 , rj) + D(rj, rf) + D(Tr v {rf),a) 

<(1 - p) + e(n) + (1 - p + e(n)) 

=28(n) + 2(1 - p) 


□ 


Claim 3.2.9. T\ ~ wqc r 2 . 

Proof of Claim 3.2.9. We show that for any poly-time QTM Z, \ Pr(Z(ri) = 1) — 
Pr (Z(t 2 ) = 1)| < 8(n) with 8(n) negligible. Suppose for contradiction that there 
is a poly-time Z such that |Pr(Z(ri) = 1) — Pr(Z(T 2 ) = 1)| > 8(n), we design 
Z 1 that contradicts (*). Z' will have the random classical key k that A used in 
authentication hardwired into its circuit. Then upon receiving either t[ or r^, 
it first apply B k -the verihcation operation of QAS on system W, and pass the 
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resulting state to Z. Output whatever Z outputs. It is easy to see that 

|Pr(Z'(rO = l)-Pr(Z'(r') = l)| 

= | Pr(Z(tx> ® B k (r[)) = 1) - Pr(Z(l x , ® B k (r')) = 1)| 
= | Pr(Z(-7i) = 1) - Pr(Z(r 2 ) = 1)| > 8(n) 


□ 

Immediately we obtain as a corollary of Claim 3.2.9 that p acc > 1 — 8(n). This 
is because Tr(P acc ri) = 1, and Tr(P acc r 2 ) = p acc ■ If we consider a QTM Z that 
measures V in computational basis to distinguish T\ and r 2 . Then Claim 3.2.9 tells 
us that 

1 - Pace = \Tr(P acc Ti) - Tr(P acc r 2 )\ = I Pr(Z(n) = 1) - Pr (Z(r 2 ) = 1)| < S(n) . 

Combining the above claims, we conclude that V)?/;) e X ® W and for all 
poly-time QTM Z, 

|Pr(Z(p) = l)-Pr(Zl» = l)| 

= \Pr(Z(p) = 1) - Pr(Z(Trv( Tl )) = 1)| 

+ IPrf^Urvtn)) = 1) - Pr (2(Tr v (r 2 )) = 1)| 

+ \Pv(Z(Tt v (t 2 )) = 1) - Pr(Z(a) = 1)| 

<0 + 8(n) + 2 s(n) + 2(1 — p acc ) 

<2 (8(n) + e(n)) = 8'(n ) 

which is still negligible. This means that p ~ wqc cr and as a result £ qc O'. □ 

We want to mention that Proposition 3.2.5 actually reveals an interesting fact 
that resembles information-theoretical statements relating various notions of quan¬ 
tum channel fidelities (e.g., [BKN00]). 

As an immediate corollary, we get that once Z\ takes quantum advice, quantum 
advice to Z 2 will make no difference (Fig. 3.5). 
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Corollary 3.2.10. 



Figure 3.5. Quantum advice to Z\ collapses all models 


Proof. We know from Prop. 3.2.1 that 

auxi,aux2 , state = ■M a uxi,aux2,state and A 4 auXl ^ aux 2 , state = auxi ,aux2, state • 

We only need one last connection that M auxuaU x2, state = M auxuauX2 ,^ti- This is 
a simple observation, because when Z x takes quantum advice and passes state to 
Z 2 , Z 2 does not need to explicitly take an extra advice, because the state can just 
be included in Zf s quantum advice, and is later passed to Z 2 by Z\. □ 

In summery, we conclude that if we allow Z\ to take arbitrary quantum advice, 
we end up with only one model. 

3.2.2 Z\ does not take quantum advice 

When Z\ takes no quantum advice, namely the inputs to the players are generated 
by a poly-time QTM, the situation becomes less clear. 

State passing still makes no difference Since we can think of Zf s that do 
not take quantum advice as a subclass of Zfs that do take quantum advice (i.e., 
empty advice), an analogous argument as in Lemma 3.2.3 implies that 

Lemma 3.2.11. 

aux 1 ^ auX2) state = -Mauxi,auX2,state fA. a ux\,aux2,state = fA.auxi,aux2,state ■ 
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Figure 3.6. Equivalent models when Z\ takes no quantum advice 
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Quantum advice to Z 2 Recall that when Z\ takes quantum advice, quan¬ 
tum advice to Z 2 turns out to be irrelevant. However, here it is unclear if 
such a result still holds. A closely related question would be asking whether 
BQP/poly = BQP/poly, which is one of the most important open problems in 
quantum complexity theory. We may connect complexity theory with our security 
models in different ways: 

• Assume, BQP/poly=BQP/poly, does that imply, for example 


Jv 1 aux i, aux2,state — ■' vl aux\,aux2,state • 

Otherwise what is the minimal complexity assumption that suffices to derive 
Alow = Mow? 

• Conversely, if it turns out that 


M 


auxi ,aux 2 ,state 




aux 1 ,aux 2, state 


or M 


auxi ,aux 2, state 




aux i,aux2,state 1 


are there any interesting complexity implications? 


3.2.3 A special constraint: Markov Condition 

Another choice, which may appear less essential would be: do we allow arbitrarily 
general input state? This question is made concrete in [DFL + 09, FS09], where 
a stand-alone model was proposed to capture secure emulation of classical func¬ 
tionalities. Only a special form of inputs is allowed there, which we may call the 
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Markov condition. As apposed to a general bipartite state with one part being 
classical (a.k.a cq-states ): pab = A a |a)(a| ® p%i the Markov condition requires 
that the input to dishonest Bob contains a classical subsystem Y such that con¬ 
ditioned on Y Bob’s quantum input is independent of A’s classical input. Such 
states are denoted as 


Pa^y^b = ^2 A a! fe|a)(a| A ® \b){b\ Y ® p b B . 

a, b 

Now let us analyze how Markov condition affects our abstract model discussed 
above. It turns out that the effect of Markov condition, again, depends on whether 
Z\ takes quantum advice. 

Z\ takes quantum advice: Markov condition becomes redundant We 

denote models with Markov condition JYI*. 

Lemma 3.2.12. JYt* UXl = M. auxii . ; . for any choices of aux^ and state passing. 
Namely, the model where inputs must satisfy Markov condition is equivalent to the 
model where inputs could be any bipartite states with one part being classical. 

Proof. To be concrete, we consider two models JYI : = JY[ auximm ^tate an d AT : = 

M.* _-r-j-. The same argument applies to other cases. 

One direction is obvious, namely, if a protocol is secure in JYI then it is auto¬ 
matically secure in AT, because we can think of the Markov condition as specifying 
a subclass of possible QTMs Z\ allowed in AT Now we show that any protocol 
secure in JYI' is also secure in the seemingly stronger model JYI. Equivalently, we 
prove that if there is a protocol II not secure in JYI , it is also insecure in JYI'. 
Formally, suppose there is an adversary A in At, and VS, there exist Z \, Z 2 so 
that Z 2 can distinguish M 4 and M$. Then we construct A',Z[ and Z' 2 such that, 
there is no S' that is able to simulate A' in model JYI'. By our assumption, there 
is an input state a n := fT a A 0 |a)(a| A < 8 ) cr% with ^ A* = 1 such that 

|Pr [Z 2 (M A (a n ))\ - Pr[Z 2 (M s (a n ))] \ > l/poly{n) 

holds for any poly-time S. Observe that each summand |a)(a| A ®cr^ of cr n trivially 
satisfies Markov condition. Since cr n is a convex combination of |a)(a| A ®cr^, there 
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must be a a n = |a)(a|^ <8> suc h that 

|Pr[Z 2 (M^(5- n ))] - Pr[Z 2 (M s (a n ))} \ > l/poly(n) 

for any poly-time S. This observation tells us we can simply let A := A, Z' 2 := Z 2 , 
and let Z' x be the machine that takes quantum advice {<7 n } and hands a n to players 
as input. Then for any poly-time S', 

|Pr [Z'(M ad ,(a n ))\ - Pr[Z'(M 5 (d n ))]| 

= |Pr [Z 2 (M A (a n ))\ - Pr[Z 2 (M s (a n ))]\ > 1 /poly(n) 

This shows that security in AT implies security in AT □ 

Z\ takes no quantum advice: Markov condition may matter The argu¬ 
ment in Lemma 3.2.12 does not necessarily apply here because previously we could 
simply give cr* to Z x directly as an advice. However, cr* might be impossible to 
generate on a poly-time QTM. It is interesting to either construct a concrete ex¬ 
ample to show a separation or otherwise show a proof of equivalence. Due to lack 
of clear insight of Markov condition in this case, we leave it as an open question. 

Reflections. Given the above discussion, we feel it is reasonable to suggest that, 
when dealing with efficient quantum adversaries, allowing quantum advice to ad¬ 
versaries should be the “default” choice. A few justifications are in order. First 
of all, poly-time QTMs with quantum advice is the most general model under the 
quantum circuit computation formalism, and as demonstrated earlier, quantum 
advice often simplifies the discussion dramatically. Moreover, despite the seem¬ 
ingly strong power of adversaries, we can still get secure cryptographic protocols 
(e.g., SFE) against such adversaries under plausible computational assumptions. 
Finally, we want to mention that most of existing works do not consider quantum 
advice to adversaries. We think it makes sense to revisit such results against ad¬ 
versaries with quantum advice, though it should not be surprising that most, if not 
all, results should still hold, with possible adaption of the underlying assumptions. 
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3.3 Quantum UC Model: An Overview 

So far, our security model falls into the stand-alone setting, where protocols are 
assumed to be executed in isolation. However, in practice we often encounter 
a network setting, where many protocols are running concurrently. A protocol 
proven secure according to a stand-alone security definition ensures nothing if we 
run it in a network environment. In view of this issue, Canetti [CanOl] proposed the 
(classical) Universally Composable (UC) security model. It differs from the stand¬ 
alone definition of security in that the environment is allowed to be interactive'. 
during the execution of the protocol, the environment may provide inputs and 
receive the outputs of the honest players, and exchange arbitrary messages with the 
adversary. In contrast, the environment in the stand-alone model runs only at the 
end of the protocol execution (and, implicitly, before the protocol starts, to prepare 
the inputs to all parties). UC-secure protocols enjoy a property called general (or 
universal ) composition 7 : loosely speaking, the protocol remains secure even if it is 
run concurrently with an unbounded number of other arbitrary protocols (whereas 
proofs of security in the stand-alone model only guarantee security when only a 
single protocol at a time is running). 

Earlier work on defining UC security and proving universal composition in the 
quantum setting appears in [BM04, Unr04]. We will adapt the somewhat simpler 
formalism of Unruh [UnrlO]. 

Modulo a small change in Unruh’s model (quantum advice, discussed be¬ 
low), our stand-alone model is exactly the restriction of Unruh’s model to a non¬ 
interactive environment, that is one which is idle from the start to the finish of the 
protocol. The only apparent difference is that in the UC model, the environment 
runs for some time before the protocol starts to prepare inputs, while in Section 3.1 
we simply quantify over all joint states cr of the honest players’ and adversary’s 
inputs. This difference is only cosmetic, though: the state a can be taken to be the 
joint state of the outputs and internal memory of the environment at the time the 
protocol begins. A more “quantum-flavor” issue is that the environment, though 

7 There is a distinction between UC security (a definition that may be satisfied by a specific 
protocol and ideal functionality) and universal composition (a property of the class of protocols 
that satisfy a security definition). Not all definitions that admit universal composition theorems 
are equivalent to UC security. See [HU06, Lin09] for discussion. 
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idle during the execution of the protocol, may keep a state that is entangled with 
the inputs to the honest party and the adversary, which may increase its distin¬ 
guishing ability in the end. However, as we show in Sect. 3.2, no actual difference 
occurs. 

We make one change to Unruh’s model in order to be consistent with our ear¬ 
lier definitions and the work of Watrous on zero-knowledge [Wat09]: we allow the 
environment to take quantum advice, rather than only classical advice. In the lan¬ 
guage of [UnrlO, p. 11], we change the initialization phase of a network execution 
to create a state p G 'P('Hn) which equals the classical string |(e, environment, e)) 
in % dass (instead of |(s, environment, z))), and an arbitrary state a in Hi uant 
(instead of |e)). Here £ denotes the empty string. Moreover, we change the def¬ 
inition of indistinguishable networks [UnrlO, p. 12] to quantify over all states a 
instead of all classical strings z. This change is not significant for statistical secu¬ 
rity, since an unbounded adversary may reconstruct a quantum advice state from 
a (exponentially long) classical description. However, it may be significant for 
polynomial-time adversaries: it is not known how much quantum advice affects 
the power of, say BQP, relative to classical advice. For completeness, we state 
this modified definition of quantum UC security below. Again, we only state the 
computational version. 

Definition 3.3.1 (Quantum Computational UC Emulation). Let n and T be two- 
party protocols. We say n quantum UC emulates T, if for any poly-time QIM A, 
there is a poly-time QIM S such that Mu ,a Mr,s (as per Def. 2.2.7). 

Equivalently, if we dehne EXEC n ,^,2 := {{Z, M A )(cr n )} ne[ u,a n £D(Hny, and 
IDEALjrs^ := {(Z, Ms){<7 n )}neu,<j n &T>(Hn)i then we can rephrase the condition as 
“/or any poly-time QIM A, there is a poly-time QIM S, such that for any poly-time 
QIMZ, EXEC n , A 2 « IDEAL^.” 

Later on, we will use Q-CUC (resp. C-CUC) and Q-SUC (resp. C-SUC) to 
refer to objects in quantum- (resp. classical -) computationally or statistically UC 
model. 

General (concurrent) Composition Operation. The most striking feature 
of LIC model is that it admits a very general form of composition that is crucial in 
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the network setting: concurrent composition 8 . We use the same notation as before 
II 1 - 71 ' to denote the composed protocol of II by substituting T' for subroutine calls 
to T. However, as opposed to the composition operation in the stand-alone setting, 
there can be multiple instances of Y running in concurrent. For a formal description 
of general composition operation, we refer to [CanOl]. 

It is easy to verify that this modification of Unruh’s definition does not affect 
the validity of the universal composition theorem: 

Theorem 3.3.2 (Quantum UC Composition Theorem). Let n, Y and T' be poly¬ 
time protocols. Assume that Y quantum UC-emulates T'. Then YY^' quantum 
UC-emulates n. 


8 People often refer to this type of composition as UC composition, presumably because se¬ 
curity in the UC model implies generally concurrent composition. This should not cause any 
further confusion. 



Chapter 


Secure Computation against 
Quantum Attacks: Computational 
Setting 


This chapter studies what classical protocols remain secure against quantum at¬ 
tacks in the computational setting. It is adapted from our work [HSS11]. 

Recall two important families of secure protocols in the classical setting: 

• Stand-alone Secure Computation [GMW87]: assuming existence of enhanced 
trapdoor permutations, there exists poly-time protocols that computation¬ 
ally stand-alone emulates any T. 

• Universal-composable Secure Computation [CLOS02], There exists protocols 
in the /^-hybrid model that computationally UC emulates any T , assuming 
the existence of enhanced trapdoor permutations. 

We show that these general feasibility results largely remain unchanged against 
quantum attacks: 

Theorem (Informal). For any classical two-party functionality T, there exists a 
classical protocol tt that quantum computationally stand-alone emulates T , under 
suitable quantum-resistant computational assumptions. 

The proof of the theorem can be broken into two modules. First we show a 
quantum analogue of [CLOS02] (Section 4.1). Namely, there are a few function- 
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alities, such as as powerful as to realizing any other functionalities based on 
them, even with respect to quantum-computational UC security. As a result, it 
amounts to design a (stand-alone) secure protocol for K , which is the content of 
Section 4.2. 


4.1 Founding Quantum UC Secure Computation 
on J'zk 

The main theorem in this section is showing that Tzk is sufficient for UC secure 
computation of any two-party functionality against any computational bounded 
quantum adversaries. That is, for any well-formed functionalities T, there exist a 
J-'zK-hybrid protocol that Q-CUC emulates T. We stress that these protocols are 
all classical, which can be implemented efficiently with classical communication 
and computation devices. 

Theorem 4.1.1. Let T be a two-party functionality. Under Assumptions 1 and 2, 
there exists a classical TzK-hybrid protocol that Q-CUC emulates J 7 in the presence 
of polynomial-time malicious quantum adversaries with static corruption. 

The computational assumptions are stated below. 

Assumption 1. There exists a classical pseudorandom generator secure against 
any poly-time quantum distinguisher. 

Based on this assumption and the construction of [Nao91], we can obtain a sta¬ 
tistically binding and quantum computationally hiding commitment scheme II com . 
All commitment schemes we use afterwards refer to this one. This assumption 
also suffices for Watrous’s ZK proof system for any NP-language against quantum 
attacks. 

Assumption 2. There exists a dense classical public-key crypto-system that is 
IND-CPA (chosen-plaintext attack) secure against quantum distinguishers. 

A public-key crypto-system is dense if a valid public key is indistinguishable in 
quantum poly-time from a uniformly random string of the same length. Although 
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it is likely that standard reductions would show that Assumption 2 implies As¬ 
sumption 1, we chose to keep the assumptions separate because the instantiation 
one would normally use of the pseudorandom generator would not be related to the 
public-key system (instead, it would typically be based on a symmetric-key block 
or stream cipher). Both assumptions hold, for instance, assuming the hardness of 
leaning with errors (LWE) problem [Reg09]. 

To prove Theorem 4.1.1, we analyze the protocol of Canetti et al. [CLOS02] 
for two- and multi-party computation (referred to in the sequel as CLOS). These 
are classical protocols, proven secure in the classical UC model. We will show that 
these protocols remain secure in the presence of quantum adversaries as long as the 
underlying primitives (pseudorandom generators and a special kind of public-key 
encryption scheme) are secure against quantum adversaries. 

4.1.1 Simple Hybrid Argument. 

Our analysis is based on a new abstraction, call it simple hybrid argument (SHA). 
It captures a family of classical security arguments in the UC model which remains 
valid in the quantum setting (as long as the underlying primitives are secure against 
quantum adversaries). 

Definition 4.1.2 (Simply related machines). We say two QIMs M a and M b are 
(' t , e)-simply related if there is a time-t QTM M and a pair of classical distributions 
D a , D b such that 

(a) M(D a ) = M a (for two QIMs Ni and N 2 , we say N\ = jV 2 if the two machines 
behave identically on all inputs, that is, if they can be described by the same 
circuits), 

(b) M(D b ) = M b , and 

(c) D a D b . 

Example 1. Figure 1 illustrates a pair of simply related machines. 

Lemma 4.1.3. If two machines M a and M b are (t, e)-simply related, then M a 
M b , i.e., they are (t, e)-interactively indistinguishable (as per Definition 2.2.7). 
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Figure 4.1. Two simply related machines. 



(a) Machine M a is machine M on input a (b) Machine Mb is machine M on input a 
chosen uniformly at random. pseudorandom string PG(r). 


Proof. By definition, M a = M(D a ) and Mb = M(Db). If there is a Z with 
quantum advice a that distinguishes M a and Mb with advantage s' > e in time 
/, we can construct a time-2/ distinguisher V for D a and Db with advantage s' 
as well. This contradicts D a -D&- V works by taking an input sample d 

from either D a or Db, then simulates (M (d) , Z(of). Output whatever Z outputs. 
Obviously, V runs in time at most 2 1 and distinguishes D a and Db with the same 
advantage as Z distinguishes M a and Mb. Thus we conclude | Pr((M a , Z(a)) = 
1) — Pr((Mfc, Z(a)) = 1)| < £ for any tirne-t environment Z. □ 

Definition 4.1.4 (Simple hybrid argument). Two machines Mq and M\ arc related 
by a (t , £)-simple hybrid argument of length £ if there is a sequence of intermediate 
machines Mi, M 2 ,..., M^_i such that each adjacent pair M t _i , M t of machines, i = 
is ( t , |)-simply related. 

Lemma 4.1.5. For any t,e and i, if two machines are related by a ( t,e)-simple 
hybrid argument of length i, then the machines are (t,e)-interactively indistin¬ 
guishable. 

Proof. This is by a standard hybrid argument. Suppose, for contradiction, there 
exists a t im e-/: machine Z with advice o such that 

| Pr«M 0 , Z{of) = 1) -Pr ((M e ,Z(a)) = 1)| >e . 
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Then by triangle inequality we can infer that there must exist some i s.t. 

|Pr ((Mi,Z(a)) = 1) -Pr ((M i+1 ,Z(a)) = l)\>e/l. 

However, by assumption Mi and M i+1 are (t, |)-simply related and in particular 
no time-/: machines can distinguish them with advantage greater than e/t. □ 

4.1.2 Lifting CLOS to Quantum UC Security. 

Now we apply our simple hybrid argument framework to analyze the protocol in 
CLOS. We first review the structure of the construction of CLOS in the static 
setting: 

• Let T be a two-party functionality. Design a protocol n that C-CUC emulates 
T against semi-honest adversaries. The protocol uses a semi-honest oblivious 
transfer (ShOT) protocol, which can be constructed assuming existence of 
enhanced trapdoor permutations (eTDPs). 

• Let Jcp be the “commit-and-prove” functionality of [CLOS02, Figure 8]. A 
protocol is constructed in J^K-hybrid model that C-CUC emulates Tc p, as¬ 
suming existence of a statistically binding and computationally hiding com¬ 
mitment scheme. Such commitment scheme in turn can be constructed from 
a pseudorandom generator [Nao91]. 

• In J-'cp-hybrid model, a generic complicr COMP is designed. Let n 1 = C0MP(7t) 
be the J^p-hybrid protocol after compilation. It is shown in [CLOS02, 
Proposition 8.1] that: for every classical adversary A! , there exists a clas¬ 
sical adversary A with running time polynomial in that of A 1 such that 
EXEC Tr',A',z = EXEC n ,A,z- That is, the interaction of A! with honest play¬ 
ers running A is identical to the interaction of A with n in the semi-honest 
model. 

• It then follows that, by UC composition theorem, id C-CUC emulates T in 
the J-'zK-hybrid model. 
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We then show how to make the construction secure against quantum adversaries 
using proper quantum-immune assumptions. The key observation is that the se¬ 
curity proofs of the semi-honest protocol and of the protocol in the J r z K -hybrid 
model fall into our simple hybrid argument framework. Thus once we augment 
the computational assumptions to be quantum-immune, they immediately become 
secure against quantum adversaries. This is stated more precisely below. 

Observation 4.1.6 (CLOS proof structure). In CL OS, the security proofs for the 
semi-horiest protocol and the protocol for IF C p m IF ZK -hybrid model against static 
adversaries consist of simple hybrid arguments with t = polyfn ) and e = neglfn ). 

Moreover, the underlying indistinguishable distributions in the CLOS arguments 
consist of either (i) switching between a real public key and a uniformly random 
string, ( ii) changing the plaintext of an encryption, or (in) changing the message 
in the commit phase of a commitment protocol. 

From this observation, we get the corollary below. 

Corollary 4.1.7 (CLOS—simple hybrids). Under Assumptions 1 and 2, 

(a) In the IF ZK -hybrid model, there is a non-trivial protocol that UC-emulates IF C ? 
in the presence of polynomial-time malicious static quantum adversaries. 

(b) Let IF be a well-formed two-party functionality. In the plain model, there is a 
protocol that UC-emulates IF in the presence of polynomial-time semi-honest 
static quantum adversaries. 

Proof. Observation 4.1.6 tells us there are two types of proofs in CLOS, so we only 
have to show both can be augmented to hold against quantum adversaries. On the 
one hand, simple hybrid arguments in CLOS still hold if we assume assumptions 1 
and 2 because the underlying distributions in these hybrid experiments will remain 
indistinguishable against quantum distinguishes. On the other hand, we know 
quantum UC composition also holds by Theorem 3.3.2. □ 

Combining the previous proposition with the simpler arguments from CLOS 
(Corollary 4.1.7, above) we can prove Theorem 4.1.1. 
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Proof of Theorem 4.1.1. Fix a well-formed functionality J- and let 7 r be the proto¬ 
col for T in the semi-honest model guaranteed by the second part of Corollary 4.1.7. 
Proposition ?? tells us the interaction of the dummy adversary A' with C0MP(7 t) 
(in the 4F CP hybrid model) is identical to the interaction of the adversary A with 
II (in the semi-honest model). By the security of II in the semi-honest model, 
there exists an ideal-world adversary S such that IDEAL^^z ~ EXECnj ,2 = 
EXECn' 4 ', 2 . Thus, COMP(II) securely emulates A in the J r CP -hybrid model against 
malicious adversaries. By the quantum UC composition theorem, we can compose 
COMP(n) with the protocol for 4F CP to get a protocol secure against malicious quan¬ 
tum adversaries in the J r ZK -hybrid model. □ 

4.2 Realizing J- Z k with Stand-alone Security 

In this section, we construct a protocol II Z k that Q-CSA emulates T ZY .- In the 
stand-alone model, 4F Z K is more commonly referred to as zero-knowledge argument 
of knowledge. Our construction needs an encryption scheme that has one extra 
property than the one in Assumption 2 . 

Assumption 3. There exists, as in Assumption 2, a dense classical public-key 
crypto-system that is IND-CPA secure against any quantum distinguisher. In addi¬ 
tion, encryptions of two messages under a uniformly random string are statistically 
indistinguishable. 

Note that the dense property already implies encryptions under a random string 
are quantum computationally indistinguishable. Assumption 3 strengthens this 
requirement to be statistically indistinguishable. This allows “cheating” in the 
sense that if a ciphertext is generated under a uniformly random string, we can 
then claim it to be an encryption of an arbitrary message. This type of encryption 
scheme is sometimes called Meaningful/Meaningless encryption (e.g., see [KN08]). 
Again, the LWE assumption implies Assumption 3. Let £ = (Gen, Enc, Dec) be 
a crypto-system as in Assumption 3. 

We will also use a result of Watrous’s [Wat09], where he showed that there 
exist classical zero-knowledge proofs for any NP language that are secure against 
any poly-time quantum verifiers. For completeness we give his definition (adapted 
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to our terminology) of quantum computational zero-knowledge proof [Wat09, Def¬ 
inition 7]. 

Definition 4.2.1. An interactive proof system (P, V) for a language L is quantum 
computational zero-knowledge if, for every poly-time QIM V', there exists a poly¬ 
time QIM Sy/ that satises the following requirements. 

(a) The verier V' and simulator Sy/ agree on the polynomially bounded functions 
q and r that specify the number of auxiliary input qubits and output qubits, 
respectively. 

(b) Let M^y/)^) be the machine describing that interaction between V' and P 

on input x, and let be the simulator’s machine on input x. Then 

the ensembles (M^y/)^) : x G L} and : x G L} are quantum 

computationally indistinguishable as per Definition 2.2-4- 

Now that we have all building blocks ready, our construction of a classical 
ZKAoK protocol is as follows. 

Theorem 4.2.2. Protocol A ZK quantum stand-alone-emulates P ZK . 

Proof Idea. The key idea lies in the inherent power of the simulator S of Wa- 
trous’s ZK protocol. Namely, we can use S to generate a fake proof that is indis¬ 
tinguishable from a real ZK proof run by a prover and a verifier, when we don’t 
know a witness of a statement, or even when there isn’t one, i.e., the statement is 
false. Specifically, when the verifier is corrupted by an adversary A, an ideal-world 
adversary S, receiving a true statement x from P ZK , needs to convince A of the va¬ 
lidity of x without knowing a witness. We do know that on true instances, i.e., the 
ciphertext e indeed encodes a witness w, S produces a fake proof successfully by 
definition. The trouble then boils down to generating an encryption of w without 
knowing w. This might sound contradictory, but it is actually very natural. For 
instance, suppose a function / maps all strings to 0, then generating /(r) without 
knowing r is trivial-just output 0! Our situation is more sophisticated, yet shares 
the same spirit. We need the so called “lossy” encryption property that encryp¬ 
tions of all messages under a uniform string are statistically close. This implies, in 
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ZKAoK Protocol II ZK 

Phase 1 

(a) V chooses a <r- {0, l} n at random, and sends P a commitment of a: 
c = comm(a). 

(b) P sends b {0, l} n to V. 

(c) V sends P string a. 

(d) V proves to P that c is indeed a commitment of a using Watrous’s 
ZK protocol. 

(e) P and V set pk = a © b and interpret it as a public key. 

Phase 2 

(a) P. holding an instance x and a witness w, encrypts w under pk. Let 
e = Enc pfc (tc). P sends ( x , e ) to V. 

(b) P proves to V that e encodes a witness of x using Watrous’s ZK 
protocol. V outputs x if it accepts in this ZK protocol. Otherwise 
it halts. 


particular, that encryption of any string under a uniform string pk , will coincide 
with Encore) with high probability. In addition, in its simulation, S can always 
make sure that a uniformly random pk is generated by playing as an honest prover 
in Phase 1. This shows how we handle corrupted verifiers. 

On the other hand, if the prover is corrupted by A , an ideal-world S needs to 
extract a witness w from e whenever A provides an accepting proof in Phase 2. 
The trick is that S can use S to cheat in Phase 1 and force the outcome to be a 
real public key pk of which he knows a corresponding secret key sk, so that S can 
decrypt e to recover w in the end. The difficulty is that S wants to make a = pk®b, 
but it has to commit to a before seeing b. It turns out that we could commit to 0”, 
and later run S on the false statement that comm(0 n ) is a commitment of a. S 
must behave equally well as if it is given a true statement (comm(a),a), because 
otherwise S will break the hiding property of the commitment scheme. 
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Detailed Proof. For the sake of clarity, we propose a non-interactive notion 
of simple hybrid argument , analogous to Def. 4.1.4, which formalizes a common 
structure in stand-alone security proofs. 

Definition 4.2.3 (Simply related non-interactive machines). We say two QTMs 
M a and M b are (f,e)-simply related if there is a time-t QTM M and a pair of 
QTMs N a , N b such that 

(a) M Na = M a (for two QTMs N x and N 2 , we say N\ = N 2 if they can be 
described by the same circuits), 

(b) M Nb = M b , and 

(c) N. 1 V,. 

Remark (i) M N is the machine that gives M oracle access to N. (ii) As a typical 
example of a pair of indistinguishable QTMs, consider N a being a QTM describing 
a ZK protocol with a (dishonest) verifier, and N b being a simulator’s machine. Then 
by definition of a valid simulator, we have N a ~ wqc N b . (iii) Machines (N a , N b ) in 
the dehnition also capture pair of indistinguishable classical distributions that are 
efficiently samplable. Namely, we can let N a and N b be samplers sampling from 
distributions D a and D b respectively. 

Definition 4.2.4 (Simple hybrid argument (Non-interactive Version)). Two ma¬ 
chines M 0 and are related by a (t, £)-simple hybrid argument of length i if there 
is a sequence of intermediate machines Mi, M 2 ,M^i such that each adjacent 
pair Mj_!, M t of machines, i = 1,is (t, |)-simply related. 

Lemma 4.2.5. For any t,e and £, if two machines are related by a ( t,e)-simple 
hybrid argument of length l, then the machines are (t,e) -indistinguishable. 

Proof. Suppose for contradiction, there exists a time-t QTM Z with advice o such 
that | Pr [Z((M 0 ® 1 n)cr n ) = 1] — Pr [Z((M^ ® t R )a n ) = 1]| > e. Then by triangle 
inequality we can infer that there must exist some i s.t. | Pr [Z((Mi 1 Ft)cr n ) = 
1] — Pr[Z((Mj + i (g) l R )a n ) — 1]| > e/i. However, by assumption Mi and M l+ \ 
are (t,e/^)-simply related and in particular no time-t QTMs can distinguish them 
with advantage greater than eft. □ 
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We are now ready to give a clean proof of Theorem 4.2.2 following the simply 
hybrid argument framework. 

Proof. We first formalize the two NP languages of the ZK argument systems in 
Phase 1 & 2, denoted by L i and L 2 respectively. 

L\ = {(c, a) : 3r 6 {0,1}* s.t. comm(a, r) = c} 

L 2 = {(pk, x, e) : 3w, r G {0,1}*, s.t. Enc p fc(«;,r) = e & (x, w) G Rl) 


We also denote the ZK argument systems for Li and L 2 by ZK] and ZK 2 . The 
simulators of ZK X and ZK 2 are denoted by Si and S 2 respectively. We stress that 
Watrous’s ZK protocol has negligible completeness and soundness errors, and in 
addition the simulator succeeds for arbitrary quantum poly-time verifiers on true 
instances, except with negligible probability. 

Prover is corrupted For any real-world adversary A. we construct an ideal- 
world adversary S. 

Simulator S: Prover is corrupted 
Input: A as a black box; security parameter l n . 

1. S initializes A with whatever input state it receives. 

2. In Phase 1, S does the following: 

(a) Compute c = comm(0 n ) and send it to A. 

(b) Obtain b G {0, l} n from A. 

(c) Run Gen(l n ) to obtain ( pk , sk ). Send a = pk © b to A. 

(d) Run the simulator Si for ZKi with input (c, a). 

3. In Phase 2, S obtains ( x , e) and executes ZK 2 with A. If ZK 2 succeeds, 

S decrypts e to get w = Dec s fc(e) and send (x, w) to J-'zk- 

4. S outputs whatever A outputs. 


Let Mg be the QTM of ideal-world interaction between S, J-'zk and V; and let 
iff 4 be the QTM of real-world interaction between A and V. 
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Lemma 4.2.6. M UmA(P) & wqc M TzK:S . 

Proof. We define a sequence of machines to form a hybrid argument: 


Hybrid Machines: relating Afn ZK y(p) and Mjr ZK s 

• M 0 := Mjr ZKi s. Specifically, on any input state, the output has two 
parts: one part corresponds to the adversary M’s output state, and 
the other corresponds to the verifier’s output, which is x if w obtained 
by S in step 3 is a valid witness, i.e., ( x,w ) G Rl • Otherwise, this 
part is empty. 

• My differ from M 0 only in that Mj does not check the validity of w 
and will output x as long as ZK 2 succeeds. 

• M 2 : differs from Mi in the message a in Phase 1: instead of sending 
pk © b, in M 2 , a { 0 , 1 }" is set to be a uniformly random string. 

• M 3 : in the first step of Phase 1, .M 3 commits to a instead of com¬ 
mitting to CP. 

• M 4 : instead of running simulator Si, M 4 executes the actual ZKi 
protocol. Observe that M 4 = Mu zk ,a(p)- 


Now it is easy to see: 

• M 0 ~ wqc Mi. These two QTMs would behave differently only if ZK 2 succeeds 
but w is not a valid witness. Specifically, when ciphertext e does not encode 
a valid witness, M 0 does not output x. On the other hand, M\ might still 
output x, if A (corrupted prover) somehow succeeds in proving the false 
statement that e encodes a true witness. By soundness property of ZK 2 , 
however, we know this only happens with negligible probability. 

• Mi,..., M 4 form a simple hybrid argument. More specifically, each adjacent 
pair of machines constitutes simply related machines: 

— Mi and M 2 are simply related by switching valid public keys to uni¬ 
formly random strings. 

— M 2 and M 3 are simply related by changing the messages being commit¬ 
ted to. 
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— M 3 and M 4 are simply related via a pair of indistinguishable QTMs N a 
and Nb, where N a is the simulator Si, and Nb is the machine describing 
ZKi. 


Thus M nzKi4 (p) ~wqc Mt Z k,S- Q 

Verifier is corrupted. We construct ideal world S for any adversary A that 
corrupts the verifier as follows: 

Simulator S: Verifier is corrupted 
Input: A as a black box; security parameter l n . 

1 . S initializes A with whatever input state it receives. 

2. Wait till get x from J-" zK . Then do the following. 

3. In Phase 1, S behave honestly and let the outcome to be pk. 

4. In Phase 2: 

(a) S picks an arbitrary string, say 0 u,(ni , and send e = Enc^O™^) 
to A. 

(b) S runs the simulator S 2 for ZK 2 with input (pk,e,x). 

5. S outputs whatever A outputs. 


Let M s be the QTM of ideal-world interaction between P, and S ; and let 

M 4 be the QTM of real-world interaction between P and A. 

Lemma 4.2.7. M UzK:A(v) « wqc M Tzk S . 

Proof. We define the following machines: 

Now it is easy to see: M 0 , Mi and M 2 form a simple hybrid argument. That 
is, each adjacent pair of machines constitutes simply related machines: 

• Mo and M\ are simply related by changing the plaintext of the encryptions. 

• Mi and M 2 are simply related via a pair of QTMs N a and N b , where N a is 
the simulator S 2 , and N h is the machine describing ZK 2 . 

Therefore we have M Uzk ,a(V) ~wqc M Tzk S - □ 
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Hybrid Machines: relating Mu Z k,A(v) an d Mt Z k,s 

• A/(j : — Mg. 

• Mi. Mi encrypts a valid witness w, instead of 0 U,( ”) as in M 0 . 

• M 2 ~. instead of running simulator S 2 , M 2 executes the actual ZK 2 
protocol.Observe that M 2 = M UzK) a(V)- 


Finally, we conclude that Theorem 4.2.2 holds. □ 

4.3 Putting It Together 

Recap the results that we have obtained so far: 

(a) Under Assumptions 1 and 2 , for any well-formed two-party functionality J-, 
there is a classical protocol II ^ quantum UC-emulating T in the Tz ^-hybrid 
model. (Theorem 4.1.1) 

(b) Under Assumption 3, There exists classical protocol n ZK that Q-CSA emu¬ 
lates J-'zk- (Theorem 4.2.2) 

Applying the (stand-alone) modular composition theorem (Theorem 3.1.5) to 
the above, we obtain the main theorem: 

Theorem 4.3.1. For any well-formed classical two-party functionality T. there 
exists a classical protocol II that Q-CSA emulates T against malicious static quan¬ 
tum adversaries in the plain model, under Assumptions 1, 2 and 3. 

Discussions. Along the line of our work, there are a number of straightfor¬ 
ward conjectures. For example, it is likely that our techniques in fact apply to 
all the results in CLOS (multi-party, adaptive adversaries) and to corresponding 
results in the “generalized” UC model [CDPW07]. Essentially all protocols in the 
semi-honest model seem to fit the simple hybrids framework, in particular proto¬ 
cols based on Yao’s garbled-circuits framework (e.g. [BMR90]). It is also likely 
that existing proofs in security models which allow super-polynomial simulation 
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(e.g., [Pas03, PS04, BS05]) will carry through using a similar line of argument to 
the one here. 

However, our work leaves open some basic questions: for example, can we 
construct constant-round ZK with negligible completeness and soundness errors 
against quantum verifiers? Watrous’s technique does not immediately answer 
it since sequential repetition seems necessary in his construction to reduce the 
soundness error. A quick look at classical constant-round ZK (e.g., [FS89]) sug¬ 
gests that witness-indistinguishable proofs of knowledge are helpful. Is it possi¬ 
ble to construct constant-round witness-extendable WI proofs of knowledge? Do 
our analyses apply to extensions of the UC framework, such the generalized UC 
framework of [CDPW07]? Finally, more generally, which other uses of rewinding 
can be adapted to quantum adversaries? Aside from the original work by Wa- 
trous [Wat09], Damgard and Lunemann [DL09] and Unruh [Unrl2] have shown 
examples of such adaption. 



Chapter 

Secure Computation against 
Quantum Attacks: Statistical 
Setting 

We turn to the statistical setting in this chapter. Unfortunately, it is folklore that 
there exist functionalities (e.g., T^om) that no (classical) protocols can emulate 
statistically in the plain model. In addition, quantum protocols do not help in 
this setting either, as shown in quite a few works [LC97, May97, BCS12], Hence, 
one natural option is to allow certain trusted set-ups. The good news is though, 
there exist functionalities based on which we can securely realize any functionality 
against unbounded quantum adversaries. As we will see, for any T 7 , 

• there is a classical protocol that Q-SUC emulates T in J r o T -hybrid model; 

• and there exists a quantum protocol n^™ that Q-SUC emulates T in T cm - 
hybrid model; 

• and there exists a quantum protocol that Q-SUC emulates J 7 in J^cc- 
hybrid model. 

The results for J 7 ot and J-com were already known in the literature. Our main 
contribution in this chapter is identifying a new functionality-7-2cc~based on which 
Q-SUC realization of any functionality becomes feasible. Remarkably, the use of 
quantum protocols in J^om- and J-^cc-hybrid models are not only sufficient, but 
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also necessary, as classical protocols in neither .F C0M nor IF 2 cc hybrid models can 
UC realize J r QT statistically . Thus they give yet another example that quantum 
protocols are indeed more powerful in various contexts. These discussions are 
adapted from our work [FKS + 13]. 

5.1 Founding Q-SUC Secure Comp, on t and 

: com 

It is already known in the literature that given IFqi or J-com, one can construct 
(quantum) protocols to realize all functionalities. Here we briefly review relevant 
results. 

First of all, In [IPS08], Ishai et al. extends Kilian’s stand-alone result [Kil 88 ] 
and showed that for any IF, there is a classical protocol that C-SUC emulates T 
in J r aT -hybrid model. 

Unruh [UnrlO] studied statistical UC security in a quantum setting. One useful 
tool he showed was a (statistical) quantum lifting lemma, which says that if a 
classical protocol is statistically UC (C-SUC) secure then it is also statistically 
quantum-UC (Q-SUC) secure. 

Fact 1 ([UnrlO, Theorem 15] - The Quantum Lifting Lemma). If a (classical) 
protocol tv C-SUC emulates IF, then 7r Q-SUC IF. 

Therefore the lifting lemma immediately implies that any IF can be realized 
with quantum-statistical LIC security in J r aT -hybrid model. 

Moreover, Unruh [UnrlO] also showed that the quantum OT protocol proposed 
by Bennett et al. [BBCS91] in the -Fctm-hybrid model Q-SLTC emulates IFoi- By the 
quantum UC composition theorem, it follows that J-'com is also a sufficient setup on 
which we can build Q-SUC secure protocols. In summary, we have: 

Theorem 5.1.1. For any well-formed T, there exists a classical protocol that Q- 
SUC emulates T in the IF 0 i-hybrid model. There also exists a quantum protocol 
that Q-SUC emulates IF in the IF cm -hybrid model. 
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5.2 Founding Q-SUC Secure Comp, on 2CC 

In this section, we design a quantum protocol n q0T in the J^cc-hybrid model that 
Q-SUC emulates T\ ox- The quantum UC composition theorem (Theorem 3.3.2) im¬ 
mediately implies that any T can be realized in J-^cc-hybrid model, using quantum 
protocols. 

5.2.1 Realizing J r DT from T^zz'- protocol I1 qo T 

Our construction of IIq DT is motivated by the quantum OT protocol in the Fcwr 
hybrid model by Bennett et al. [BBCS91]. In their protocol, roughly speaking, 
J-com is used in a checking subroutine to ensure that malicious Bob measures his 
qubits upon arrival (and does not store them until Alice informs him about the 
bases used). More specifically, Alice sends several qubits encoded in random bases, 
and Bob measures all of them and commits, for each qubit, to the pair (xf,0f), 
where xf is the outcome of the measurement of the i th qubit and Of is the corre¬ 
sponding basis Bob used. Alice then asks Bob to open a randomly chosen subset 
of the committed pairs, and she checks consistency with how she had prepared 
the qubits. Intuitively, this indeed ensures that Bob has measures most of the 
qubits, as otherwise he would not know what to commit to. Formally proving 
this intuition turned out to be non-trivial, with the first rigorous proofs given 
in [DFL + 09, UnrlO, BF10]. 

Our protocol uses, instead of commitments, invocations to J-^cc to implement 
the checking step (see the protocol IIq 0T below). Intuitively, this should enforce 
Bob to measure all the qubits as in the original protocol based on commitments. 
Unfortunately, the formal proof does not carry over. The problem arises from the 
fact that in the original protocol, Bob has to commit to all the Of and xf before he 
gets to see the random subset that Alice chooses for testing consistency, whereas in 
our protocol based on T 2 cc, Bob can make his input (Of , xf) to J-^cc adaptively , and 
dependent on which prior positions Alice has tested. Current proofs, like [DFL + 09, 
BF10], cannot deal with that. 

In order to deal with this issue, we introduce an adaptive version of the sampling 
framework of [BF10]. We then show, analogous to the static setting as in [BF10], 
that the security of the OT scheme reduces to the analysis of a quantum sampling 
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problem in our adaptive sampling framework. Analyzing the quantum sampling 
problem can further be reduced to a classical probabilistic analysis, which can be 
handled by standard techniques (e.g., Azuma’s inequality). 

We describe Hq OT below and claim: 

Theorem 5.2.1. flgoi Q-SUC emulates J r 0T in J-^cc -hybrid, model. 

5.2.2 Security Proof of IIqo T . 

This section aims to proving Theorem 5.2.1. We first introduce necessary notations 
for this proof. 

• Alphabet E = {0,1} 

• Hamming weight wt(-): wt(x) := number of Is in x G {0,1}* 

• Relative Hamming weight w (-): w(x ) := - , where Ixl is the length of x. 

• Index set / C [n], where [n] {1,... ,n} 

• Complement of a string t G {0, l} n : t — .. .t n , i.e., bit-wise flip. 

• Restriction of x G {0, l} n to a substring w.r.t. an index set / C [n]: x\j : = 
x h ...x ik , with ij G I 

• Restriction of x G {0, l} n to a substring w.r.t. a string t G {0,l} n : x t : = 
x h .. ,x ik , with t l;i = 1. 

• Computational basis +: identified with 0. 

• Hadamard basis x: identihed with 1. 

• Trace distance D(p,a) := ^tr^/(p — cr)+(p — a) 

We show how to construct an ideal-world simulator S for an adversary corrupting 
Alice or Bob respectively in the quantum UC model. 
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Protocol IlqoT 

Parameters: A family F = {/ : {0, l} n —> {0,1}^} of universal hash 

functions. 

Parties: The sender Alice and the recipient Bob. 

Inputs: Alice gets two Abit strings so and .Si, Bob gets a bit c. 

(a) (Initialization) 

1.1 Alice chooses x A = (xf ,..., x A ) Er {0, l} n and 9 A = 
(i 9 A ,..., 9 A ) Er {+, x} n uniformly at random and sends \x a )q A 
to Bob who denotes the received state by |^). 

2.2 Bob chooses 9 B = (9 f,..., 9f) Er {+, x} n uniformly at random 
and measures the qubits of |-0) in the bases 9 B \ denote the result 
by x B : = (xf,.. .,xf). 

(b) (Checking) 

2.1 For i = 1,... n the following steps are executed sequentially: 

(a) Alice chooses a bit A Er {0,1} uniformly at random. 

(b) Alice and Bob invoke T 2 cc with inputs 6 * and ( x B ,9 B ), re¬ 
spectively. 

2.2 If in some iteration i of Step 2.1 Alice receives 9f = 9 A but 
xf 7 ^ x A , then Alice aborts. If in Step 2.1 Bob receives (as 
output of T 2CC ) the bit bi = 1 more than 3n/5 times then Bob 
aborts. 

2.3 Let x A be the string resulting from removing in x A the bits at 
positions i with bi = 1. Define 9 A : x B , 9 B analogously. 

(c) (Partition Index Set) Alice sends 9 A to Bob. Bob sets I c := {i : 

9 A = 9 B } and Ji_ c := {i : 9 A ^ Of}. Then Bob sends (/ 0 ,/i) to 

Alice. 

(d) (Secret Transferring) 

4.1 Alice picks a function / Er F; for i = 0,1 : Alice computes 
rrii := Si © /(x'), where x' is the n-bit string that consists of 
x A \j i padded with zeros, and sends (f,m 0 ,mi) to Bob. 

4.2 Bob outputs s := m c © f(x' B ), where x' B is the n-bit string that 
consists of x B \ Ic padded with zeros. 


Corrupted Alice Intuitively, security against corrupted Alice requires that Al¬ 
ice should not be able to figure out Bob’s chosen bit c. This is conceivable, noting 
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that Alice does not learn anything about the bases Bob used for the unchecked 
qubits. This is because at these positions, Alice inputs bi = 0 to J-^cc and hence 
always gets output _L from J-^cc- Therefore, from Alice’s view, the index sets Jo 
and I\ received from Bob will be a random partition. Formally, we need to con¬ 
struct a simulator S in the ideal world who produces a transcript indistinguishable 
from that in the real protocol, without knowing the chosen bit of (honest) Bob. 
One main task S needs to accomplish is extracting two secret strings (so, Si) from 
corrupted Alice, so that S could feed them to the external J r 0T functionality. The 
idea is that S can “cheat” in the checking phase by only measuring the qubits that 
the adversary asks to. S can do so without being caught , and thus not disturbing 
the transcript (also adversary’s view), because in the ideal world, T 2 cc is simulated 
internally by S and he thus sees the checking bit bi that corrupted Alice sends to 
J~ 2 cc and can decide afterwards whether it is necessary to respond to Alice hon¬ 
estly. As a result, once S receives the bases 6 A after the checking phase, he can 
measure the remaining qubits in 6 A and thus know all of x A . This allows him to 
recover both s 0 and Si from m* = © f(x A \if). 

Simulating corrupted Alice. Given adversary A that corrupts Alice, we con¬ 
struct a simulator S as follows. 

Proposition 5.2.2. M ngQT .^ Mjr mS , and S runs in polynomial of the running 
time of A. 

The proof is straightforward and follows the very same lines as in the standard 
protocol for quantum OT from commitment. We omit the formal proof. 

Corrupted Bob. The case that Bob is corrupted is much more challenging. 
Basically, we want to prevent a malicious Bob from learning si_ c in addition to 
his chosen secret s c . We know that si_ c is masked by /(£" l |/ 1 _ c ), to ensure that 
Bob learns nothing about Si_ c , it thus suffices to show that /(x j4 |/ 1 _ c ) is close 
to uniformly random, or equivalently, due to privacy amplification (cf. [Ren05, 
RK05]) that x A \j 1 _ c has sufficient min-entropy even conditioned on Bob’s view in 
the protocol. 
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Simulator S (when Alice is corrupted) 

Inputs: Environment Z generates inputs: chosen bit c is given to honest 
(dummy) Bob; and input to A is passed through S. 

(a) (Initialization) S behaves as an honest Bob does in the real protocol 
nqoT- 

(b) (Checking) 

2.1 For i — 1,... n the following steps are executed sequentially: 

(a) S internally simulates T^cc, so when A inputs bi to T 2 cc, S 
records it. 

(b) If bi = 0. S sends _L to A. 

(c) If bi — 1, S measures the i th qubit in a randomly chosen 
basis Of {+, x} and send both Of and the outcome xf 
to A. 

2.2 S aborts if any time A aborts or S sees more that 3n/5 i with 
bi = 1 . 

(c) (Partition Index Set) Let 0 A be the basis received from A. S mea¬ 
sures the remaining qubits under 0 A , and obtains x B . S then ran¬ 
domly partitions the indices into Jo and I\ and sends them to A. 

(d) (Secret Transferring) Once receiving (/,m 0 ,mi), S computes s ' 0 : = 
m 0 © f(x B \i 0 ) and := mi © f(x B |/J. S gives J r 0T the pair (s' 0 , s^). 
Outputs whatever A outputs in the end. 


Figure 5.1. Simulating corrupted Alice. 

In order to derive such a claim, we first describe an variant 1 Ilg™ of IIqq T , which 
is based on EPR-pairs and is equivalent to IIq 0T from Bob’s perspective. It then 
allows us to adapt a sampling framework proposed by Bouman and Fehr [BF10] to 
argue about a lower bound on the min-entropy we are interested in. The high-level 
approach is: 

• Interpret the checking phase in 11^™ as a sampling game (to be defined 
shortly) over qubits. 

• Analysis of the sampling game will imply that if Bob passes the checking 

lr This is a standard proof trick in the literature used in proving BB84-type quantum crypto¬ 
graphic protocols, dating back to [SP00]. 
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phase, then the real joint state of Alice and Bob after the checking phase in 
the protocol will be negligibly close to an ideal state. 

• Finally we argue that if one measured Alice’s system in the ideal state and 
gets a string x , then no matter how Bob partitions the index sets (/ 0 ,ii), 
there exists a c such that high amount of min-entropy is preserved in x \/ 1 _ c . 

Thus we see that if Bob indeed passes the checking phase in the real protocol, 
f(x A \h_ c ) will be statistically close to uniform, except with negligible probability. 

However, the sampling framework in [BF10] is not immediately applicable in 
our setting because it seems to be specific to a static sampling scenario, where the 
classical string or quantum state is fixed before the sampling starts. Our checking 
phase, using J^ 2 cc hr sequential, resembles an adaptive-type sampling, where data 
are coming in an on-line fashion, and in particular could be generated adaptively 
based on the information about which previous data have been chosen as samples. 
To cope with this, we generalize their framework to capture an adaptive sampling 
setting, and subsumes most of their results as a special case. This extension may be 
useful independently in other applications, is an upper bound on the classical error 
probability of the sampling strategy buried in our checking phase of the protocol 

TT 2 

ttqoT • 

We now describe the EPR-based protocol Hg™ in Fig. 5.2; note that Bob’s 
actions are as in n Q o T and thus omitted in the description of Hg™. Also recall that 
9 A denotes the restriction of 9 A to those positions with 6* = 0. 

Claim 5.2.3. Hg™ and n q0T are equivalent from Bob’s view, i.e., Hq 0T is quantum- 
UC secure against malicious Bob if and only is. 

Proof. Note that if Alice were to measure her EPR halves in random bases 9 A right 
after step 1, it’s equivalent to encoding a random n-bit string into n qubits under 
random bases, and that is what happens in Hq 0T . But Alice’s measuring operations 
commute with Bob’s operations up to step 2.2, since they operate on different 
spaces. Therefore, from Bob’s perspective there is no effect of postponing Alice’s 
measurements to step 2.2. Then the only difference left is that Alice measures all 

2 Actually, the analysis will be applied on an equivalent (From Bob’s perspective) protocol 
IIq™. See the proof below. 
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Protocol lip™ 

Inputs: Alice gets input two t'-bif strings So and si, Bob gets a bit c. 

(a) (Initialization) Alice generates n pairs of EPR | d>) <S)ri = [A=(|00) + 
111))]®”, and sends Bob n halves of these EPR pairs. Alice chooses 
0 A G {+, x} n at random, but doesn’t measure her shares of the EPR 
pairs. 

(b) (Checking) 

2.1 For i — 1, ... n the following steps are executed sequentially. 

(a) Alice chooses a bit bi e# {0,1} uniformly at random. 

(b) Alice and Bob call J-^cc with inputs 6 * and (xf, Of), respec¬ 
tively. 

2.2 For every i e {1,... ,n} with bi = 1, Alice measures her qubit 
of the i-th EPR pair in basis Of (not Of) to obtain bit xf. If 
xf f xf for some i with b t — 1 and Of = Of, then Alice aborts. 

If not, then Alice continues and measures her remaining qubits 
under 0 A to obtain x A . 

(c) (Partition Index Set) Same as n qQT . 

(d) (Secret Transferring) Same as n Q o T . 

Figure 5.2. Protocol Ilq™ for OT 

those where b t — 1 and Of Of under Of , whereas in IIq 0T she measures them in 
Of. However, these qubits are not used anyway, and they are discarded thereafter. 
Hence Bob will not notice any difference. □ 

As a result, it suffices that we show how to simulate an arbitrary adversary A 
that corrupts Bob in n q ™, which comes next. 

Simulating corrupted Bob. Given adversary A in n q ™ that corrupts Bob, we 
construct a simulator S as follows. 

Proposition 5.2.4. Myi Q01 ,a ~qsi Mxot.s an d S runs in polynomial of the running 
time of A. 

Proof. Observe that the simulation of S differs from the real-world execution only 
in the last secret transferring phase: in both cases m c = s c © f(x A \i c ), but mi_ c = 
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Simulator S: Bob is corrupted 

Inputs: Environment Z generates inputs: So and .S'i are given to honest 
(dummy) Alice; and input to A is passed through S. 

(a) (Initialization) S initializes an execution with corrupted Bob, just as 
in TT EPR 

111 ii Q0T- 

(b) (Checking) S does the checking procedure as in Ilq™. Note that in 
the present situation, S simulates each T^cc internally, and thus he 
sees all (xf , Of) that corrupted Bob sent to J^cc- 

(c) (Partition Index Set) S expects to receive (J 0 , If) from A. 

(d) (Secret Transferring) Alice sends (so,Si) to the ideal functional¬ 
ity J-'qt- S sets c G {0,1} to be such that wt(0 A \ Ic © 0 B \ Ic ) < 
wt{0 A |/i_ c © 0 B \ h _ c ). (That is, the Hamming distance between 0 A 
and 0 B , restricted to h- c , is larger.) Send c to the (external) J-’ot 
and obtain s c . S then sends / Gr F. m c := s c © f(x A \i c ) and 
mi_ c Gr {0,1 Y -4. Output whatever A outputs in the end. 


Figure 5.3. Simulating corrupted Bob in Ilq™ 

Si_ c ©/(a;' l |/ 1 _ c ) in nq™, while during simulation S sets mi_ c G_r {0, l}b However, 
as we will argue formally in Theorem 5.2.5, after checking phase, Alice’s system A 
restricted to Ji_ c has high min-entropy even conditioned on the adversary’s view. 
Hence / will effectively extract I uniformly random bits. □ 

Theorem 5.2.5. If i = A n, where X is a constant strictly smaller than then the 
following holds. Let M 0 and Mi be the two message systems generated by Alice in 
Hq™. Then, there exists c G {0,1} such that Mi_ c is close to uniformly random 
and independent of Bob’s view: 

1 

D(Pm!- c m c b, Ye 1 ® a M c B) < neglyn) . 


Proving Theorem 5.2.5 is the most technically challenging part to establish the 
security of n Q Q T . In what follows, we will develop the technical tools and give a 
proof. 
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5.3 An Adaptive Quantum Sampling Framework 

In this section, we introduce an adaptive version of the (classical and quantum) 
sampling framework of [BF10]. This will give us the right tool to prove security of 
our OT protocol based on the F 2 cc functionality. 

In the (non-adaptive) sampling framework from [BF10], the goal is to estimate 
the Hamming distance of a fixed but unknown string x (over the binary or some 
other finite alphabet) to a fixed and known reference string x by sampling and 
“looking” at a few randomly chosen positions of x. 3 Actually, for technical reasons, 
the goal is to estimate the Hamming distance of the remainders of the strings x 
and x, when the sampled positions are removed. For later convenience, it is useful 
to think of x and x being chosen by a party Bob in an arbitrary way, and the 
sampling being performed by some other party Alice. In the quantum version, 
the string x is replaced by an n-qubit (or qudit) state A, and the sampling is 
done by sampling and measuring a few randomly chosen positions of A, using a 
fixed reference basis 9. As shown in [BF10], if the observed sample is close to 
x (in the sampled positions), then the state of the remaining qubits is close to 
a superposition of strings (encoded into quantum states) with small Hamming 
distance to x (on the unsampled positions). Furthermore, the error is related to 
the error probability of the corresponding classical sampling procedure. 

We extend these results to an adaptive setting, where x and x are chosen in 
an adaptive way: position by position, Bob fixes Xi and Xj and Alice announces 
whether she chooses the position i as part of the sample or not. Hence, Bob 
can choose X* and x; depending on which previous positions Alice chose. For the 
quantum version, Bob still has to fix the state in advance, but he can choose 9 and 
x adaptively, position by position. 

We now make this formal, and we show that the results of [BF10] still hold in 
this adaptive setting. Let n e INI be a positive integer and £ be a finite alphabet. A 
sampling strategy is specified by the distribution according to which Alice chooses 
the sample, and the (possibly randomized) function that she uses to process the 
sample. 

Definition 5.3.1. (Sampling Strategy). A sampling strategy T consists of a triple 
3 Without loss of generality, x is set to the all-0 string in [BF10]. 
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(Pt, Ps, f), where Pt is a distribution over {0,l} n , P$ is a distribution over an 
arbitrary finite set S, and f is a function f : E* x {0, l} n x S —>■ R. 

This definition coincides with the definition in [BF10]; the adaptivity comes into 
the picture when defining the error probability, which captures how well a sampling 
strategy performs when applied to an adaptive or a non-adaptive setting. Although 
our results hold more generally, in the remainder we restrict to the binary setting 
where E = {0,1}. 

Informally, a sampling strategy T = (Pt, Ps, f ) is to be interpreted in that 
Alice chooses t G {0, l} n according to Pt, “looks” at the positions Xi of x with 
U = 1, and computes f(x t © x t ,t, s) as estimate for the relative Hamming weight 
w(xt® Xf), where s is chosen according to Ps, and x t stands for the restriction of 
x to those positions with t t — 1 (and correspondingly for x t ,Xf etc.). A canonical 
example sampling strategy is as follows. 

Example 1. Pt is the uniform distribution over {0, l} n , S is empty, and f(xt © 
Xt,t) = w(x t © Xt), he., Alice samples a random subset and computes the relative 
Hamming distance within the sample. 

A less canonical example, but one that is important for us, is as follows. 

Example 2. As above, Alice samples a random subset, but then she computes 
her estimate for w(xf(Bxi) as f(x t @x t ,t,s ) = w(x s (Bx s ) for a random s G {0,1}" 
subject to tj = 0 =>■ Si = 0. In other words, she only uses a random subset of the 
random sample to compute the estimate. 

In order to define the error probability of a given sampling strategy T = 
(Pt, Ps, f ) in the adaptive setting, we consider the following adaptive sampling 
game, given in Figure 5.5, that is associated to T. The game should be under¬ 
stood in that Bob may choose each pair (x t , x, t ) in an arbitrary and adaptive way, 
depending on what he has seen so far, and Alice only “looks” at those positions 
where fj = 1, and computes her estimate based on those positions. 

We point out once more that the difference to the non-adaptive sampling game 
considered in [BF10] is that in the non-adaptive case, Bob has to provide all Xi 
and xfis in advance, before (or without) learning t. Additionally, [BF10] assumes 
without loss of generality that x t = 0; this, we could do here as well, but here we 
do not. 
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Adaptive Sampling Game Q 

(a) Alice chooses t G {0, l} n according to Pr, and s 6 5 according to 

Ps- 

(b) For % — 1,... n the following steps are executed sequentially: 

(a) Bob generates and sends to Alice x^Xi G £ n . 

(b) Alice sends ti to Bob. 

(c) Alice outputs fi t , s f(%t © &t,t, s ). 

Figure 5.4. Adaptive sampling game. 

Intuitively, a sampling strategy \17 is “good” if in the above adaptive sampling 
game, p t ,s = /(ay © x t ,t,s ) provides a good estimate of w(oy © ay), the relative 
Hamming distance between ay and ay. We now make this precise. For a given 
sampling strategy T, and for any x G E n , t G {0,l} n , s G S and 5 > 0, we define 
the set 

'■= { x e : | w{xt®xt) - f(xt®x t ,t,s) | < <5}. 

B tsx (^) consists of all the strings x for which Alice’s estimate is h-close to being 
accurate in case she samples t and s and Bob provides the reference string x. If d' 
is clear from the context, we may simply write Bf s 

Note that for any fixed strategy B for Bob in the adaptive sampling game, the 
random variables T, S, X and X that describe the choices of t, s, x and x in the 
adaptive sampling game are well defined, and so is the random variable B 5 T ^('F), 
which takes on sets as values. The adaptive error probability of a sampling strategy 
T is defined as the maximal probability that X lies outside the set B^ s ^, i.e., 
that Alice’s estimate is far off, maximized over the possible strategies of Bob. 

Definition 5.3.2 (Classical adaptive error probability). The classical adaptive 
probability of a sampling strategy \F = (Pt, Ps, f ) is defined as 

*?(«) ~ maxPr[A' ft 

parameterized by 0 < 5 < 1, where the max is over all strategies B for Bob. 

Note that the randomness is over the choices of T and S, and the (adaptive) 
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choices of X and X, specified by the strategy B. 

We now extend our study to sampling of quantum states. We define a quantum 
sampling game as follows. 

Quantum Adaptive Sampling Game Q q 

(a) Bob prepares an arbitrary state \4>ae) £ 'Ha®Pe, where A consists 
of n qubits and E is arbitrary, and sends A to Alice. Alice chooses 
t G {0, l} n according to Pt, and sGiS according to Ps- 

(b) For i — 1,... n the following steps are executed sequentially: 

(a) Bob generates (possibly by processing E ) O^Xi G E, and sends 
them to Alice. 

(b) Alice sends t, t to Bob. 

(c) For every i with t, t — 1, Alice measures the i-th qubit of A in basis 

Qi to obtain x i: and she outputs pt.s ■= f{%t © t, s ). 


Figure 5.5. Quantum adaptive sampling game. 

Following [BF10], we want to understand what can be concluded on the state 
of the unmeasured qubits from the estimate /i i)S . For this, for a given strategy 
B for Bob, let | ^ae' ) he state °f the joint system AE right before step 3. 
Also taking into account the randomized classical data t, s, x, 6, we can describe 
the joint state before step 3 by means of the density matrix 

PtSXSAE = ^TSXQAE^i S i ^)l^> S i ^){^i S i ^1 ® I ^ AE ' ) i&AE 1 
t,s 

Note that in the non-adaptive setting [BF10], X and 0 are fixed (without loss 
of generality to all 0’s, both), and systems TS and AE are independent. Here, due 
to the adaptive sampling game, X and 0 may be randomized as well, and there 
may be some dependency between TS and AE. 

We compare the above real state P TS xqae with an ideal state, which is a state 
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of the form 

PtSXSAE = ^TSXQAE^i S i ^)\^i s i s i ^1 ® \ ( f ) AE ' )(&AE I 

t,s 

with 

I <j>AE ,e ) e span 

for all t, s, x and 9, where 

span 0 - (Bl si .) :=span{|x)g : x E B 5 tsS f} 

=span{|z)g : j w(xt®xi) - f(x t © x t , t, s)| < 5}, 

and where \x)q means each bit x % in x is encoded in basis 6 t . 

Essentially by definition of the ideal state, if step 3 of the quantum adaptive 
sampling game is done on the ideal rather than the real state, then the resulting 
state PtsxoxtA-e after Alice has measured the qubits with t, t — 1 satisfies 

PA^E\T=t,S=s,X=x,e=e,X T =xt ~ WAtE ' IVPAfE I 

with | (Paje) (where we leave the dependency of the state on t , s etc. implicit) of 
the form 

1 4>AfE) =^<Xy\y)M V E) 
y 

where the sum is over all y E {0, l} wt (*) with relative Hamming distance to xj at 
most h-away from p S)t = f(x t © x t , t, s ). In other words, it is a superposition over 
a “small” number of sets if fj, Sjt is close or equal to 0 (as will be the case in the 
analysis of n q0T ) 

Definition 5.3.3 (Quantum adaptive error probability). The quantum adaptive 
error probability of a sampling strategy d' = (Pt, Ps, f) is defined as 

e^(d') = max _ min D{Ptsxqae^ Ptsxqae) 

Ptsxgae 

parameterized by 0 < 5 < 1. The max is over all possible strategies B q for Bob, 
and the minimum is over all ideal states of the form as P T sxqae■ 
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By definition, if the quantum error probability is small then the resulting quan¬ 
tum state of Q q will behave, except with probability at most e q , as an ideal state 
in which the unmeasured part of system A is in a superposition over a small set of 
orthogonal states. 

Similar to the non-adaptive case of [BF10], we show the following relation 
between e q and £ S C , for any sampling strategy. 

Proposition 5.3.4. For any sampling strategy T and for any 0 < S < 1, kg('F) < 

PP)- 

The proof makes use of the following simple fact. For any strategy B q for Bob 
in the quantum sampling game Q q , there exists an associated strategy B for Bob in 
the classical sampling game Q, where Bob chooses | 4>ae) and the 9 t and xfs as in 
B q , but he keeps the qubits A, and instead of sending 9i in step i, he measures the 
i-th qubit of A in basis 9i and sends the measurement outcome Xi to Alice (along 
with Xi). 

Proof. We show that for any strategy for Bob resulting in the (real) state P TS xq AE > 
there exists a suitable ideal state P TS xqae with DiPrsxeAEi Ptsxqae ) — V^c- We 
construct Ptsxqae as required, where the \<p A > ff’ )’s are defined by the following 
decomposition into orthogonal components: 


oae j> ) =n 


t,s,x,6 

t,s,x,eWAE 


> +r \P <t>AE 


t,s,x,0- 


/ 7 t.s.x.O it,s.x,tf\ | it,s,x,u\ - / n 

={ ( Pae ,<Pae Mae ) + (<A 


t,s,x,61. 
AE > 


J AE 




AE 


where u t,s,x,e = E*eB« Si4 ® 1 and IP4 ® 1 are the 

orthogonal projections into spa ®PIe and the orthogonal complement 
spa ®PLe-> and | $ae' ) and 10^ X,6,J ") are the renormalized projections 

of |PP>- 

Consider the random variable X that describes the measurement outcome if 
Alice was to measure all qubits of A in step 2. We stress that she only measures 
the ones pointed to by t , but we may still consider what happens if she measures 
all of them. Formally, we set 

Pr[X = X \T = t,S = s, X = x, 0 = 9] = (0*/P|( \ x )(x\ § ® t)\(f\% x ' e ). 
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It holds that Pr[A" ^ TP ^.] < 7^. This follows from the fact that it has no impact 
on the joint distribution of these random variables who computes the qubits A, and 
if we let Bob measure the qubits then this results in the associated strategy B for 
the classical sampling game, for which the above holds by definition of the error 
probability e 5 c . By this observation, it is sufficient to relate D(Ptsxqae-> p TS xe AE ) 
to Pr[X ^ B 5 Ts A\, which we do below. First, using elementary properties of the 
trace distance, we obtain that 


p (PrsxeAEi Ptsxqae) 

= ^ P TSXQAe9i s t%i6)D{\4>AE ’X^AE ’\\^AE ’ ){^AE ’ 1 ) 


t,s,x,6 


P TSXOAe( t, S,X,6 )\/ 1 - I (4>AE ,e , VAE fi ) ? 

t,s,x,6 

P TSXQAe( t, <?) I (<pAE X,e± , <t>.AE ’*) I 


t,s,x,0 


< I P TSXOAe( t, S, X, 9) | (4>^E X ’ e± , (j)AE ,e )\ 2 , 

t,s,x,6 


where the last inequality follows from Jensen’s inequality. But since 


M 


t,s,x,0A- 
AE > 


<Pae )\ 2 = <</>: 


t,s,x,0 

AE 


n 


t,s,x,0 


A7j= E 


x£B_ 


t,s,x 


= Pr[X i B s t ^\T = t,S = s,X = x,Q = 9\, 


it follows that the term in the square root equals Pr[A ^ pP x \. This proves the 
claim. □ 


5.3.1 Completing the Security Proof of IIqo T 

Proof of Theorem 5.2.5. Consider the joint state | 4>ae) right before the checking 
phase of IIq™, consisting of the n EPR pairs plus potentially some additional 
quantum system on Bob’s side. The crucial observation now is that the checking 
phase of Ilq™ follows exactly the lines of the adaptive quantum sampling game Q q 
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in that Bob specifies 9 t = 9f and x t = xf sequentially and adaptively, depending 
on the previous selection bits f* = bfs, which determine whether Alice uses position 
i for checking or not. 

It follows that for any constant 6 > 0, the real state, after Alice has measured 
the selected qubits, is e-close to an ideal state that is a superposition over a small 
number of basis vectors with respect to the basis 9 B , in the sense as discussed in 
the previous section, with e < £ g (\k) < y/g&JWj, where T is the sampling strategy 
from Example 2. 

The remainder of the proof now goes along the lines of the commitment-based 
proof of QOT in [BF10]. We give it here for completeness. The resulting (ideal) 
state being a superposition over a small number of basis vectors with respect to the 
basis 9 B still holds after Bob announces the sets Jo and A, and it also still holds 
if we view the qubits A/ c as part of the adversarial system E, where c G {0,1} 
is such that wt(9 A \ Ic © 9 B \ Ic ) < wt(9 A |/ 1 _ c © 0 L> |/ 1 _ C ). Note that (by Hoeffding’s 
inequality) except with probability negl{n ), the number of positions i G ii_ c with 
9 A ^ 9f is at least |(| — 8)n. 

It follows from Fact 2 below that (for the ideal state) 

H mm (AV c | A Ic E) > l -{-^ - S)n - h(S)n , 

except with negligible probability, where Xj_ c = X A \j l c and the left hand side 
should be understood as conditioned on all the common classical information, 
9 A , 9 B etc. By basic properties of the min-entropy, the same bound also applies to 
H mtn (X\_ c \X c E ). It then follows from privacy amplification [Ren05, RK05] that 
if t < — 2 8)n — h(8)n (and concretely in our protocol, we set £ = A n with 

A < |), then the extracted string S i_ c is negl(n )-close to uniform given X c (and 
hence also given S c ), the quantum system E, and all common classical information. 
Collecting all the “errors” encountered on the way, the distance to uniform becomes 
negl(n) + y/e 5 c (^>). Below we analyze sf(^/) and show that it is negl(n) as well; 
this then proves the claim. 

□ 

Fact 2 ([?, Corollary 1]). Let \4 >ae) be a superposition on states of the form 
\x)e'\4 >e) with |w(x)| < 5 and 5 < 1/2, and let the random variable X be the 
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outcome of measuring A in basis 6 G {+, x} n . Then 

H min (X\E) > wt{6 © &) - h(5)n. 

where h(p) := —plogp — (1 — p) log(l — p) is the Shannon binary entropy. 

Analyzing the classical adaptive error probability. We now derive an upper 
bound on the classical error probability e s c of the sampling strategy from Example 2. 

Proposition 5.3.5. For = (. P T ,Ps,f ) from Example 2, and for any 5 > 0, it 
holds that ^('L) < 6exp(—<5 2 n/144). 

Proof. WLOG, we assume ay = 0 in the sampling game Q and speak of (relative) 
Hamming weight instead of (relative) Hamming distance. We use capital letters 
Tj, Si and X t to represent these random variables in the game, where the ran¬ 
domness comes from Alice playing according to (Pt, Ps) and arbitrary (possibly 
randomized) strategy B of Bob. Let Di := (1 — T i )X l — 2T l S l X % for i — 1,..., n. 
Define M 0 := 0 and M k := Y2i=i Di, k — 1... n. Notice that 

E[M fc |M 0 ,..., M k _i] — M k _i = E [M k _i + D k \M 0 ,..., M k _f\ — M k _i 
=E[D k \M 0 ,..., = (E[l - T k ] - 2E [T k S k ]) ■ E[X k \M 0 ,..., M k _ r ] = 0 

using the fact that T k and S k are independent of M 0 ,..., M k _i and X k , and 
ElTfc^j = |,E[Tfc] = |. Hence {M k } k=0 forms a Martingale sequence. Also, 
by construction, M n = wt(Xjt) — 2wt(X s ). Next observe that \M k — M k _f\ = 
\D k \ < |(1 — T k )X k | + 2\T k S k X k \ < 2, therefore we can apply Azuma’s inequality 
and obtain that, for any constant (3 > 0, 

— B 2 n 2 

Pr[|M n | > /3n] < 2exp( —4 — ) = 2exp(-/3 2 n/8) 

2 Xk =i 2 

Now we analyze Pr[|iu(Ay) — tc(A 5 )| > 5], which will give us an upper bound 
for P° r some constant £ > 0, define the event E := [wt(T) G (| ± e)n A 

wt(S) G (| ± e)n], i.e., the event that wt(T ) and wt(S) are concentrated around 
their respective expectations. Applying Hoeffding’s inequality immediately tells 
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us Pr[F] > 1 — 4exp(—2 e 2 n). Conditioned on this event E, it holds that 

\2wt(X7p) — n-w(Xjl)\ = \2wt{T)w{XTp) ~n-w(X^)\ < \2wt(T)-n\-\w(X^)\ < 2en 

and, similarly, that |4 wt(Xs) — n ■ w(Xs) < 4 en. Hence, conditioned on E and 
\M n \ < fin, it holds that 

\w{Xrf) — w(ATs)| < —\2wt{Xjfi — Awt(Xs)\ + Qe < 2fi + 6e. 

It follows that 

Pr[HAV) - w(X s ) I >2(3 + 6e] 

<Pr[-ii7 V \M n \ > fin] 

<4exp(—2 e 2 n) + 2exp(- / 3 2 n/8). 

Finally, picking 4 e = 5 /12 and (3 = 5/ 4, we conclude that 

< Pr[\w(X T ) - w(A: 5 )| > 8] < 6exp(—<5 2 n/144). □ 

For completeness, we include some of the technical facts we used in this section. 

Fact 3 (Hoeffding’s inequality). Let x G {0, l} n be a bit string with relative Ham¬ 
ming weight fi := w(x). Let Xi,..., Xk be sampling k bits from x independently 
without replacement. Then for any 5 > 0, X := | X t satisfies 

Pr[|A" — p\ > 5} < 2exp(—2 d 2 k). 


Fact 4 (Azuma’s inequality). Let Xf : j = 0,... , n be a martingale and \X 3 — 
X } _\ < c 3 , then 

Pr[|AA - X 0 \ >t]< 2 exp (—. 

Z 2=j =i c j 

4 Our purpose here is simplifying the expression, and it is not necessarily tight though. 
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Fact 5 (Privacy Amplification [RK05, Theorem 1]). Let pxe be a hybrid, state 
with classical X with the form pxe = Yhx&x Fx\x)(x\ ® p%- Let F be a family of 
universal hash functions with range {0,1}^ and F be chosen randomly from F. 
Then K = F(X) satisfies 

D(PKFE, K ® PFE ) < ^ • 2“3 (Hmi " (je f' E) “ <) . 
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6 


Application: Characterizing 
Cryptographic Tasks in QUC Model 


The experience so far already suggests that different functionalities may have differ¬ 
ent “power” in terms of realizing other functionalities based on them. For example, 
we have seen that, with respect to classically statistical UC security, any T can be 
realized in J r 0T -hybrid model, while is strictly less powerful, and in particular 
it is not sufficient to realize Tqj. This leads to a formalization of cryptographic com¬ 
plexity , analogous to the notion of computational complexity. Loosely speaking, for 
two functionalities T and T ', we study their relative complexity by investigating 
if there is a reduction from one to the other, i.e., if there is an J-’-hybrid protocol 
that emulates J-' or vice versa. The materials in this chapter are adapted from our 
work [FKS+13], 

6.1 Reductions of Functionalities: Overview 

Defining Cryptographic Reductions. In general, we say T reduces to J-', 
denoted T □ J-', if there is a ^'-hybrid protocol realizing T. This is not precise 
though, as we need to specify the level of security (e.g., computational or statistical) 
and the type of the protocol (classical or quantum) in the reduction. Our interest 
will be in quantum UC security model, with both classical and quantum reductions. 
Specifically, we study the reductions in the table below. In this work, we only 
consider static corruption. 
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Classical Reduction (c) 

Quantum Reduction (q) 

Computational 

(Q-CUC) 

cQ-CUC 

qQ-CUC 

Statistical (Q- 
SUC) 

cQ-SUC 

qQ-SUC 


Definition 6.1.1 (Classical Reduction in Computational UC Model). Let 21 be a 
collection of computational assumptions. We say J 7 classically Q-CUC (resp. CL¬ 
OU C) reduces to J 7 ' under assumption 21, denoted T C^ Q “ cuc J 7 ' (resp. T [ycc-cuc 
IF'), if there is a classical protocol ithat Q-CUC (resp. C-CUC) emulates T in 
the J 7 '-hybrid model, assuming 21 holds. 

Definition 6.1.2 (Classical Reductions in Statistical UC Model). We say T 
classically Q-SUC (resp. C-SUC) reduces to J 7 ’, denoted J 7 jZ cC !- suc J-' (resp. 
jr (-cc-suc^ if there is a classical protocol tx-j that Q-SUC (resp. C-SUC) emu¬ 
lates J 7 in the T'-hybrid model. 

By Unruh’s lifting lemma, we know that a classical protocol n C-SUC emulates 
another protocol p if and only if i r Q-SUC emulates p. Thus when we consider 
classical reductions in the statistical setting, we do not need to make distinctions 
between C-SUC and Q-SUC models. Namely, the two definitions are equivalent, 
and hence later on we use a unified notation “ C c_suc ” for classical reductions in 
(quantum- and classical-) statistical UC model. 

Now we use quantum protocols to emulate one functionality from the other, we 
call them quantum reductions. 

Definition 6.1.3 (Quantum Reductions in Q-CUC Model). Let 21 be a collection 
of computational assumptions. We say IF quantumly Q-CUC reduces to J 7 ' under 

assumption 21, denoted IF CUC F '> l f there is a quantum protocol I \jf that 

Q-CUC emulates T in the J 7 '-hybrid model, assuming 21 holds. 

The statistical case can be defined analogously. 

Definition 6.1.4 (Quantum Reductions in Q-SUC Model). Let 21 be a collection 
of computational assumptions. We say J 7 quantumly Q-CUC reduces to J 7 ' under 

assumption 21, denoted T U qQ_suc J 7 ', if there is a quantum protocol I Vjf that 

Q-SUC emulates T in the J 7 '-hybrid model. 
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We remark that usually we use quantum protocols to, and indeed most existing 
quantum protocols, achieve statistical security, and it is this case we mainly focus 
on in this work. We leave as future investigation whether Quantum Computational 
UC reduction (qQ-CUC) is an interesting notion. 

There are two types of functionalities we care most: feasible- those can be 
realized assuming secure-communication channel only (i.e., in J r SE c-hybrid model), 
and complete- based on which we can realize every functionality. 

Definition 6.1.5 (Quantum UC Feasible). We call T Q-SUC feasible (resp., Q- 
CUC feasible under assumption 21 ), if there is a classical or quantum protocol that 
Q-SUC emulates T (resp., Q-CUC emulates T assuming 21 holds) in T^c-hybrid 
model. 

Non-feasibility in statistical setting is straightforward. Namely, there exists no 
protocols that Q-SUC (equivalently C-SUC) emulates T. In the computational 
setting, however, we need to be a little careful. Here we take a stronger form of 
non-feasibility. That is, T is non-feasible if no protocols exist that Q-CUC (resp. 
C-CUC) emulates T under any computational assumptions. 

Definition 6.1.6 (Quantum UC Complete). We call T Q-SUC complete (resp., 
Q-CUC complete under 21), if for any T' , there is a classical or quantum protocol 
that Q-SUC emulates T' (resp., Q-CUC emulates T' assuming 21 holds) in T- 
hybrid model. 

Reductions in Classical UC Model. Early works, initiated in [CLOS02], 
aimed to identify complete primitives in the computational setting [BCNP04, ?, 
IPS08, CPS07]. Completeness results in the statistical setting, where the adversary 
is computationally unbounded, have also been shown [Kil88, IPS08]. Systematic 
studies of cryptographic complexity are only recent. Maji et al. proved a zero/one 
law [MPR10]: every two-party deterministic function with polynomial-size input 
domain is either feasible 1 (i.e, can be realized in the UC framework with no setup 
assumptions), or complete (i.e., sufficient for computing arbitrary other functions, 

1 In the literature is is sometimes called trivial, but we prefer feasible. Though in the UC 
setting, only a few “trivial” functionalities can be realized, in general however, designing secure 
protocols (as we did in Chapter 4) in the plain model is highly “nontrivial”. 
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under appropriate complexity assumptions). This characterization was extended 
by Katz et al. [KKK + 11], who showed completeness for deterministic functions with 
exponential-size input domains, and by Rosulek [Rosl2], who showed completeness 
for randomized, reactive functions as well. In the setting of information-theoretic 
security, Kraschewski et al. [KMQ11] give a characterization of completeness for 
two-party deterministic functionalities, and show that a zero/one laws does not 
hold. In fact, Maji et al. [MPR09] showed there is an infinite hierarchy of function 
complexity in the statistical setting. 

Reductions in a Quantum World. How do the results described in the previ¬ 
ous section change when we move to the quantum world? The answer, a priori , is 
unclear. Feasibility results in the classical setting may not hold in the quantum set¬ 
ting since quantum adversaries are more powerful than classical ones. This is true 
even if “quantum-resistant” cryptographic assumptions are used, since techniques 
such as rewinding that are used to prove security against classical adversaries may 
not apply in the quantum setting. Even in the case of statistical security, feasibility 
results may not translate from the classical world to the quantum world [CSST11], 

In the other direction, impossibility results in the classical setting might po¬ 
tentially be circumvented in the quantum setting since honest parties can rely on 
quantum mechanics, too. As a notable example of this, statistically secure key ex¬ 
change is possible in the quantum world [BB84] but not in the classical one. While 
several impossibility results for statistically secure two-party computation in the 
quantum setting are known [May97, LC97, Lo97, SSS09, BCS12], these results 
say nothing about the computational setting. They also say nothing about what 
might be possible given trusted setup. An example here, that also demonstrates 
the power of quantum protocols, arises in the context of building oblivious transfer 
(OT) from commitment. Classically, this is impossible [MPR09]. However, there is 
a construction of OT from commitment in the quantum world [BBCS91, DFL + 09, 
UnrlO, BF10]; as a consequence, commitment is complete for UC computation in 
that setting [UnrlO]. 

Given the above, the situation regarding feasibility and completeness of func¬ 
tionalities within the quantum UC framework (see Section 3.3) is unclear, though 
partial answers are known. In the statistical setting, Unruh [UnrlO] gives a generic 
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“lifting” theorem asserting that classically secure protocols remain (statistically) 
secure in the quantum world. So any functionalities that are classically trivial (in a 
statistical sense) are also trivial in a quantum setting. Moreover, any functionality 
that is classically complete in a statistical sense (and so in particular OT [UnrlO]) 
is complete with respect to the quantum UC framework as well. The situation 
is less clear with regard to computational security. Our work in Chapter ?? es¬ 
sentially “salvages” a few classically complete functionalities, showing that, for 
example, zero-knowledge are still complete in the quantum world. But this does 
not rule out the possibility that some classically complete functionalities are no 
longer complete in the quantum setting. 

Main Result. Along the lines of [MPR09, MPR10], we study reductions for the 
class U of finite, deterministic, two-party functionalities (cf. Definition 2.3.2) in 
the quantum UC model. 

Unfortunately, we were unable to prove or disprove (quantum-UC) neither com¬ 
pleteness nor feasibility of the 1-bit cut-and-choose functionality Fee £ U? There¬ 
fore, our results are for the slightly smaller class U~ which is U excluding the small 
fraction of functionalities that are sufficient for (statistically classically) realizing 
J-'icc but not for realizing Fee- Formally: 

U. = {F \ (7 G h) A ((JScc C c - suc F) V (Jcc r” suc -F))} • 

Our work shows generic lifting theorems that answers how completeness and 
feasibility results (as in [MPR09, MPR10]) change in the quantum UC model, by 
which we are able to categorize U~ in terms of cryptographic reductions. 

• Lifting Completeness to Quantum Setting. We show that classical complete¬ 
ness essentially translates to quantum UC model, with the caution that we 
need to augment the computational assumptions in computational setting. 
This is the content of Section 6.2. 

• Lifting Feasibility to Quantum Setting. We show equivalence between classi¬ 
cal feasibility and quantum feasibility, regardless of which setting, computa- 

2 Our conjecture is that F cc is also c-SUC complete. Recall that classically neither F cc nor 
JScc is statistically UC complete [MPR10]. 
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tional or statistical, it is. A key lemma is a quantum analogue of Canetti- 
Fischlin’s proof that there exists F (e.g., W C om) that is impossible to realize 
with computational UC security. This is discussed in Section 6.3. 

• Reducibility Landscape of U~. In the quantum computational setting, it 
turns out that every functionality in our class is either feasible or complete, 
analogous to the classical case [MPR10]. Whereas in the quantum statistical 
setting, functionalities fall into one of three different classes; this is in contrast 
with the (more complicated) classical picture [MPR09, KMQ11]. 


6.2 Lifting Classical Completeness to Quantum 
UC Model. 

In this section we prove that statements about completeness of functionalities in 
the classical setting are preserved in the quantum setting. More precisely, we prove 
the following theorem: 

Theorem 6.2.1 (Quantum Lifting of Completeness). For any F G IA~ the follow¬ 
ing statements hold: 

(a) (Statistical Setting) If F is C-SUC complete then IF is Q-SUC complete. 

(b) (Computational Setting) Let 21 = {existence of semi-honest OT} and 21' = 
{existence of a quantum-secure pseudorandom generator (Assumption 1) and 
a dense encryption that is quantum IND-CPA (Assumption 2).}. If F is C- 
CUC complete under 21 then F is Q-CUC complete under 2th 

The statistical statement follows easily from Unruh’s quantum lifting theorem 
(Fact 1) and the definition of completeness. In the remaining of this section we 
prove the computational statement. To this direction we follow a structure similar 
to that of [MPR10]: First, in Section 6.2.1 we show that for any F G U~ , either 
F is Q-CUC feasible or one of {W X or, Tot, F 2 cc, Uom} c-SUC reduces to F. Second, 
we need to show that W X0R , Wu, F 2 c c, arid J-'com are Q-CUC complete. As we 
have shown in Chapter 5 Wot arid F 2 cc are Q-SUC, and hence Q-CUC complete. 
In Section 6.2.2, we prove that W X0R and W C om, among a few others, are Q-CSU 
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complete. Finally, these combined with quantum UC composition theorem finishes 
the proof. We remark that except in one reduction, i.e., showing Ucc is complete, 
we use quantum protocol. All other reductions to prove completeness only need 
classical protocols. 

6.2.1 Characterizing Non-Feasible Functionalities 

Maji et al. [MPR10] showed that any G U~ that is not C-CUC feasible can be used 
to realize one of {^xor, ^ot, ^com} statistically. By Unruh’s lifting lemma, we 
obtain the following fact: 

Fact 6 ([MPR10, UnrlO]). Let T G U~. If T is not C-CUC feasible, then for 
some IF' G {^xor, ^ot, ^ 2 cc, ^com} the following holds: IF' C c_suc J 7 . 

In [MPR10], they showed C-CUC completeness of {J-xor, -Pot, J~ 2 cci -Ucom} re¬ 
spectively. Therefore, to show every C-CUC complete functionality is still Q-CUC 
complete, we are only left to prove that J^or is Q-CUC complete because we al¬ 
ready know that -Po T , and J-com are all Q-SUC complete. 

6.2.2 Q-CUC Completeness of J-xor and a Few More 

Here we show that J-'xor and IF can are Q-CUC complete. We have seen in Chapter ?? 
that J-'zk is Q-CUC complete, which allows us to identify a few more complete 
functionalities: .Fcom) -Uor and IF C F . Actually we show that these functionalities 
are Q-CUC equivalent under classical reductions. 

Theorem 6.2.2. T z K = HF Z or = J~c om = IFcf under cQ-CUC reductions. 
Equivalence Between T z K and IF CF . 

Proposition 6.2.3. (a) Under Assumption 1, there is a constant-round protocol 

that Q-CUC emulates IF CF in the IF ZK -hybrid model. 

(b) Under Assumptions 1 and 2, there is a constant-round protocol that 
quantum UC-emulates IF ZK in the IF C y- hybrid model. 
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J- ' CF C a cQ - cuc J~zK' This direction already holds by Theorem 4.1.1. However, that 
relics on the generic construction of CLOS, which is typically not optimal in terms 
of the number of rounds (i.e., round complexity) and the amount of messages 
exchanged (i.e., communication complexity). Here we give a direct reduction which 
is simple and more efficient. Specifically, we show that the parallel coin-flipping 
protocol of Lindell [Lin03], once executed in J^K-hybrid model, i.e., a (stand-alone) 
ZKAoK protocol is replaced by the ideal protocol for T zK , is essentially Q-CUC 
secure. This yields a constant-round protocol for J r CF , and we need only one extra 
computational assumption-existence of a quantum-secure PRG. 

Coin-Flipping Protocol n^ K 

1. A chooses a {0, l} n at random, and sends B a commitment of a: 
c = comm(a, r). 

2. A proves knowledge of (a, r) using iF ZK . 

3. B sends b {0, l} n to A. 

4. A sends B string a. 

5. A proves to B that c is indeed a commitment of a using B ZK . 

6. A and B set s — a © b as the outcome. 


We construct n^ ZK and show that it quantum UC-emulates J -' CF in the dF zK - 
hybrid model. We give proofs for corrupted A and corrupted B separately. 

Player A is corrupted. We construct an ideal world S for any adversary A 
corrupting A. 

Claim 6.2.4. For any A corrupting A, M u t zk A za qci Mjr ce S . 

Proof. Because s is chosen uniformly, b = a(Bs is also uniformly random. Thus the 
above ideal execution is actually identical to the real execution from the perspective 
of the adversary and the environment. 


□ 
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Simulator S: A is corrupted 

Input: A as a black box; security parameter l n 

1. S initializes A with whatever input state it receives from the environ¬ 
ment. 

2. S obtains s from J-'cf which is chosen uniformly at random s {0, l} n . 

3. S receives c = comm(a) from A. 

4. A shows knowledge of (a, r) to 7F ZK , which is simulated by S here. S 
verihes if c = comm(a, r) and aborts if not. This allows S to learn a. 

5. S sends b — a © s to A. 

6. A sends a to S. 

7. A shows knowledge of ((c, a),r), and S verihes it. Abort if verification 
fails. 

8. If A aborts at any point, S aborts 7F C ?. Otherwise, instruct 7F C f to send 
s to the other (dummy) party B. 

9. S outputs whatever A outputs. 


Player B is corrupted. For any real-world adversary A that corrupts B. we 
construct an ideal-world adversary S. 

Claim 6.2.5. For any A corrupting B, M u t zk a Mjt cf S . 

Proof. We define an intermediate machine M which behaves differently from Mjr CF s 

merely in that a uniformly random string a <— {0, l} n is chosen and sent to A in 

M , instead of sending a — s © b. Then observe that the only difference between 

M and M u t zk . appears in the first commitment message: M commits to 0 n while 

M„t zk . commits to a. Hence we can claim that: 

n CF ZK ,.4 

• Mjr C¥ s = M since s is chosen uniformly at random by 7F C F and hence s © b is 
still uniformly random just as a in M. Thus the two machines are identical. 

• M tt qci M r t zk a because they are simply related by changing the underlying 
message of a commitment. 

□ 
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Simulator S: B is corrupted 
Input: A as a black box; security parameter l n 

1. S initializes A with whatever input state it receives from the environ¬ 
ment. 

2. S obtains s from J 7 , CF which is chosen uniformly at random s <— {0, l} n . 

3. S computes c = comm(0 n ) and sends it to A. 

4. S plays the role of T zv . and sends c to A. 

5. Obtain b e {0,1}" from A. 

6. S sends a — s © b to A. 

7. S mimics 7F ZK and sends (c, a) to A. 

8. If A aborts at any point, S aborts J -’ CF . 

9. S outputs whatever A outputs. 


J -zk □ 2 ^ q_cuc 7F c? . We construct a (classical) constant-round protocol for T zK in 
the WcF-hybrid model. Our n^j? F protocol uses a standard transformation from a 
witness-indistinguishable (WI) proof system in the J r CF -hybrid model. The main 
technical step in our analysis is showing that Blum’s 3-round ZK protocol for 
Hamiltonian Cycle is in fact WI against a malicious quantum adversary. Our 
proof avoids rewinding, and is reminiscent of proofs that certain WI protocols can 
be composed concurrently. 

Let (P, V) be an interactive proof (or argument) system for an NP-relation R^. 
Denote by Rl(x) the set of all witnesses of x. We consider a real-world execution 
of protocol (P,V) in the quantum UC model. Namely, there is an interactive 
environment participating in the execution and outputting 1 or 0 at the end. Let 
EXECpv z(x,w) represent the output distribution of an execution of n, where 
Z is an interactive environment and P uses w as a witness. 

Definition 6.2.6 (Quantum UC Witness-indistinguishable). Let n = (P,V) be 
an interactive proof (or argument) system for a language L e NP. We say n 
is quantum UC witness-indistinguishable (quantum UC-WI) for Rl, if for any 
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polynomial-time QIM\, any polynomial-time QIM Z, and any cr, 

EXECp v ! 2:(x,Wi) ~ EXEC P y,2(x, w 2 ) 

for any wi,w 2 G Rl(x). 

We can show that if we use a statistically binding and quantum computationally 
hiding commitment scheme (as the one following Assumption 1) in Blum’s zero- 
knowledge proof system for Hamiltonian Cycle [Blu86], then the resulting protocol, 
call it HCq, is quantum UC-WI. 

For completeness, let’s recall Blum’s zero-knowledge proof for Hamiltonian Cy¬ 
cle (HC). 


HC: ZK proof for Hamiltonian Cycle 

Input: directed graph x with n nodes, P is given a Hamiltonian cycle w 
(the witness) in x\ security parameter l n 

(a) P picks a random permutation a S n , let y = a(x). Commit to 
(y, cr) and send (comm(|/), comm(cr)) to V. Here comm(i/) repre¬ 
sents a bit-by-bit commitment to the adjacency matrix of y. 

(b) V picks at random a challenge bit ch G- {0,1} and sends to P. 

(c) P responds according to ch: if ch = 0, P opens all commitments in 
step 1 to V; if ch = 1. P reveals a Hamiltonian cycle in cr(x), namely 
it opens the entries in comm(|/) that correspond to a(w). 

(d) V verifies P’s response: if ch = 0, V checks that the commitment is 
opened correctly; if ch — 1, V checks that the revealed edges form a 
cycle in y. V accepts if all checks succeed. 


Proposition 6.2.7. HCq is quantum UC-WI. 

Proof. Let E\ = EXECpy, 2 (x,Wi,l") and E 2 = EXEC P v ,^(^,w 2 ,1"). We 
want to show that 


Pr(Ei = 1) — Pr (E 2 = 1)| = 8(n) < negl(n). 
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Note that the distribution of ch in E\ and E 2 are identical since the first messages 
in Ei and E 2 are identically distributed (commitments to the same objects) and 
the distribution of ch is uniquely determined by prover’s first message and V’s local 

def 

configuration. So we know Pr (ch = b in E\) = Pr (ch = b in E 2 ) = Pr(ch = b ) for 
b = 0,1. Let 

S 0 (n) = | Pr(E 1 = 1 A ch — 0 in Ei) — Pr (E 2 = 1 A ch = 0 in E 2 )\ 

and Si(n) = | Pr (Ei = 1 A ch = 1 in Ei) — Pr(E 2 = 1 A ch = 1 in E 2 )\ 

Then S(n) < 5o(n) + 5i(n) by the triangle inequality. We show both <5 0 and 5i are 
negligible. 

Claim 6.2.8. 8 0 (n) = | Pr(Ei — 1 Ach — 0 in Ef) — Pr (E 2 = 1 A ch = 0 in E 2 )\ = 
0. 

Proof. <5o(n) = I Pr(Ci = l\ch = 0 in Ef) ■ Pr(c/r = 0 in E{) — Pr (E 2 = 1 |ch = 
0 in E 2 ) ■ Pr(ch = 0 in E 2 )\ = Pr (ch — 0) • | Pr(£’ 1 = 1| ch = 0 in Ef) — Pr(^ 2 = 
1 |ch = 0 in E 2 )\. However, provided that ch = 0, E\ and E 2 become identical 
since the response is just opening of the commitment. Therefore Pr(£' 1 = 1 |ch = 
0 in Ei) = Pr(E 2 — l\ch — 0 in E 2 ) and hence <5 0 (n) = 0. □ 

Claim 6.2.9. <5i(n) = | Pr(Ci = 1 A ch = 1 in E{) — Pr (E 2 = 1 A ch = 1 in E 2 )\ < 
negl (■ n). 

Proof. We present an imaginary experiment E( l n ) such that | Pr (Ei = 1 A ch = 
1 in E^ — Pr(l?(l n ) = 1)| < neglfn ) for both i = 1,2. It then follows easily by 
triangle-inequality that Si(n) = | Pr(l? 1 = 1 A ch = 1 in Ef) — Pr (E 2 = 1 A ch = 
1 in E 2 )| < Y!i=i 2 I P r (-^* = 1 A ch = 1 in Ef) — Pr(l?(l r! ) = 1)| < neglfn ). 

Compared to a real-execution in which ch = 1, E (l n ) differs only in step 1, 
where the commitment is to a permutation on a(K n ) as opposed to a(x). However, 
the hiding property of the commitment scheme ensures that no polynomial-time 
machines can distinguish them. Hence | Pr (Ei = 1 A ch = 1 in Ef) — Pr(ff(l n ) = 
1)| < negl(n) for both i = 1,2. □ 

Therefore we conclude that IlCq is quantum UC-WI. 

□ 
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Experiment E(l n ) 

(a) P picks a random permutation a, commits to a complete graph K n , 
and sends commitments comm(ir) and comm(a(/l n )) to V. K n is 
the compete graph on n vertices. 

(b) V picks the challenge bit ch = 1 and sends it to P. 

(c) P responds by opening a cycle in cr(K n ). 

(d) V verifies P’s response. 


Using a polynomial number of parallel repetitions of HCq, we have a quantum 
UC-WI protocol for NP with negligible soundness error which we call nwi and will 
use in later constructions. 

We now construct 7r^ CF that quantum UC-emulates Ezk in the J^p-hybrid model. 

Let L be an NP language and Rl be the corresponding NP-relation. Let 
PG be a quantum secure pseudorandom generator as in Assumption 1, and let 
£ = (Gen, Enc. Dec) be an encryption scheme as in Assumption 2. We define 
another relation 

R = {((x 1 ,x 2 ,pk,e),w)\(3r : Enc p k(w,r) = e A (aq ,w) G Rl) or (PG(w) = x 2 )} ■ 

It is clear that R is an NP-relation, and thus there is a WI proof for R. The key idea 
of constructing 7 T^ f is to exploit the common reference string (CRS) in some clever 
way. We will interpret a CRS s as two parts (si, s 2 ), where si = pk will be used as 
a public key pk for £, and s 2 will sometimes be an output string of PG. Onr 7r^ CF 
has a simple form then: P and V get s = (si, s 2 ), P sends x and e = Enc Sl (w) to 
V, and next they run a WI protocol on (aq = x,x 2 = s 2 ,pk = si, e ) using witness 
w. Intuitively, if the adversary A corrupts the verifier V, then S can choose 
a fake CRS s' = (s), s' 2 ) where s' 2 is generated by PG with random seed r, i.e., 
s' 2 = PG(r). Then it generates an arbitrary ciphertext as e and uses r as a witness 
in the WI proof, and witness-indistinguishability ensures the A can not distinguish 
from the case where P uses a real witness w of x. If the prover is corrupted, S can 
simply generate (pk, sk) <r- Gen(l n ) and assign pk as .s), while s' 2 is still uniformly 
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chosen. Therefore, whenever A convinces S in the WI protocol, S then decrypts 
(it knows sk) w = Dec s fc(e). However, there is one subtlety. Namely, R has two 
witnesses, either a real w (which is what we really ask for) s.t. (x,w) G Rl or a 
random seed r s.t. PG(r) = s 2 . We do not want A to be capable of achieving the 
latter case. This is easy to guarantee though, because we can choose a generator 
PG with sufficient expansion factor, e.g., if PG : {0, l} n —y {0, l} 3n . Then given a 
uniformly random 3n-bit string s' 2 , the probability that there is a seed r 6 (0,1}" 
getting mapped to s 2 is negligible. Thus whenever a prover succeeds in WI, it 
must have proved the statement with respect to Rl rather than with respect to 
PG. The formal description of protocol 7 T^ cf follows. 

UC-secure ZKAoK Protocol 

(a) P and V get s = (si, s 2 ) G {0, l} n x {0, l} 3n from Qcf- 

(b) P sends x and e = Enc Sl (w) to V. 

(c) P and V invoke a WI protocol Tlwi f° r relation R with input instance 

(xi = x, x 2 = s 2 ,pk = Si, e ). P uses w as a witness for x 2l pk, e ). 

(d) V outputs x if it accepts in n WI . 


Lemma 6.2.10. The classical protocol 7t^ cf Q-CUC emulates 

Proof. We hrst deal with the case in which the prover is corrupted. 

Claim 6.2.11. For any A corrupting the prover, M u t cf m qci Mjr ZK s- 

Proof. Similar to the proof of Lemma 4.2.6, we can define an intermediate machine 
M which behaves differently from Mjt zk S only in that it does not check if w is a 
true witness and outputs x immediately A WI succeeds. Then soundness of ti wi 
ensures Mj- zk S m qci M. Moreover M and A(p) are simply related by switching 
between a valid public key and a truly random string. The lemma then follows 
from Assumption 2. □ 

Now we consider the case where A corrupts the verifier. 
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Simulator S: prover is corrupted 
Input: adversary A ; security parameter 1". 

(a) S initializes A with whatever input state it receives from the envi¬ 
ronment. 

(b) S internally generates ( pk , sk) Gen(l n ) and set s[ = pk. Choose 
s 2 {0, l} 3n uniformly at random. Let s' = (4,4) be the fake 
CRS and it is given to A. 

(c) When S receives (x, e ) from A, it decrypts e to get w = Dec s fc(e). 

(d) S runs A WI with A on input instance (x, s 2 , 4> e) where S plays the 
role of a verifier. If S accepts in WI, it sends ( x,w ) to 

(e) S outputs whatever A outputs. 


Simulator S: verifier is corrupted 
Input: given adversary A] security parameter l n ; 

(a) S initializes A with whatever input state it receives from the envi¬ 
ronment. 

(b) Wait till receives x from Qzk- Then S internally generates .Sj •(— 
{0, l} n . It also generates r •(— {0, l} n and sets s' 2 = PG(r). Let 
s' = (.s'j, 4) be the fake CRS and it is given to A. 

(c) S sends x and e = Enc s / (0 n ) to A and then invokes Uwi with A on 
input instance (x, s 2 , s^e). S uses r as a witness. 

(d) S outputs whatever A outputs. 


Claim 6.2.12. For any A corrupting the verifier, M u t cf a(v ^ M Tzk,S- 

Proof. We define a sequence of indistinguishable machines as follows. 

Now we can see that: 

• M 0 Mi because they simply related by changing the plaintext of encryp¬ 
tion e. 

• Mi tt qci M 2 because 7Twi is quantum UC-WI. 
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• M 0 := Mjr^s- The ideal-world machine describing P.5 and Qzk as 
a single interactive machine. 

• Mp same as Mo except that the ciphertext is changed from 
Enc^CP) to e = Enc s /(tc). Here w is a witness for x, i.e., 
R l (x,w) = 1. 

• M 2 : identical to Mi except that M 2 uses w as a witness in the Uwi- 

• M 3 : s' 2 is also chosen uniformly random, rather than pseudorandom. 
Note M 3 is exactly the real-world machine M_ 4 . 


• M 2 zi qci M 3 because they are simply related by switching a pseudorandom 
string to a uniformly random string. 

Thus Claim 6.2.12 holds. 


We finally get n z ™ quantum UC-emulates J-'zk- 


□ 

□ 


Equivalence Between Tzk and J^om- 

Proposition 6.2.13. (a) Under Assumption 1 and Assumption 2, there is a 

classical protocol n^j that Q-CUC emulates J^p in the T ZK -hybrid model. 

(h) There is a constant-round protocol H^? 0 " that quantum UC-emulates tF ZY . in 
the Tern-hybrid model. 

-Tcom T zk . This is implied by Theorem 4.1.1. We leave a round-efficient 

direct reduction as an open question. 

-Tzk C a cC| “ cuc .F C0M . This follows from a result of [CF01]. They constructed a 
classical protocol that C-SUC emulates T zz in J r C0M -hybrid model. By Unruh’s 
lifting theorem (Fact 1), classical-SUC emulation implies Q-SUC emulation, and 
Q-CUC emulation as well. 




96 


Equivalence Between J^or and J-com- 

Proposition 6.2.14. (a) Under Assumption 1?, there is a constant-round pro¬ 

tocol that Q-CUC emulates J-'com in the J-'xaR-hybrid model. 

(b) There is a constant-round protocol 11^™ that Q-SUC (in particular Q-CUC) 
emulates Fx or in the Tcan-hybrid model. 

■Fcom Ey Q - cuc J-'xor- This goes through two steps. First T, c F U cQ_suc J : ' XDR clearly 
holds: two parties generate generate their respective random strings and exchange 
via J^orj and then set the output coins to be the bit-wise xor of the two strings. 
Then we can apply a simple hybrid argument and show that the reductions in 
[?, ?] that J-com C^ Q “ cuc F can be lifted to Q-CUC setting. 

-Txor E cQ_suc There is a very simple protocol: each party commits their 

respective input bit via J-' C om and then decommit them. 

Finally, we can conclude that T zK = J-'xor = J-'com = J-cf and they are all Q- 
CUC complete. We will study in Chapter ?? more systematic characterizations in 
various settings for a large family of functionalities. 

6.3 Lifting Classical Feasibility to Quantum UC 
Model. 

In this section we show a bi-directional lifting theorem for feasibility statements. 
Informally, we show that if a functionality T G U.~ is feasible in the classical 
UC setting, then T is also feasible in the quantum-UC setting and vise versa. 
In fact, we can even show a stronger statement, namely that the set of feasible 
functionalities in U~ is the same set irrespective of whether we are considering 
the classical or the quantum setting and independent of the level of security (i.e, 
computational or statistical). We point out that the computational statements in 
the following theorem are under that semi-honest OT assumption for the classical 
setting, and under the assumptions of existence of a quantum-secure pseudorandom 
generator and a dense encryption that is quantum IND-CPA, for the quantum 
setting. 
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Theorem 6.3.1 (Quantum Bi-Lifting of Feasibility). Let T 6W . The following 
statements are equivalent 

1. T is C- CUC feasible. 

2. T is C-SUC feasible. 

3. T is Q-SUC feasible. 

4■ F is Q-CUC feasible. 

Proof. (1 =>■ 2) is already implicit in [?, MPR10]. Specifically, for any F G IA~ that 
is not C-CUC complete, they constructed a trivial protocol that C-SUC emulates 
F. This implies in 7/”, the sets of C-SUC and C-CUC feasible functionalities 
collapse. 

(2 3) is immediate from Unruh’s quantum lifting lemma. 

(3 4) follows because we require poly-time simulation in the statistical UC 

model, and hence statistical UC security implies computational UC security under 
any hardness assumption. 

In the remainder of the proof, we argue that (4 =>• 1): Assume, towards contra¬ 
diction, that F is computationally quantum-UC feasible but not computationally 
classical-UC feasible. Then F is not C-SUC feasible, as statistical feasibility triv¬ 
ially implies computational feasibility under any hardness assumption. This com¬ 
bined with Fact 6 imply that for some F' G {J-qt, TUxa -Fcom, Txor} : F' 1Z C ~ SUC F, 
and therefore F' C^f cuc T under the semi-honest OT assumption (again, we use the 
fact that, as we consider polynomial simulation statistical security implies compu¬ 
tational security under any hardness assumption), which implies that J-' is C-CUC 
complete [MPR10]. Now, applying Theorem 6.2.1, we deduce that T is Q-CUC 
complete. This, combined with the assumption that T is Q-CUC feasible implies 
that every hF G is Q-CUC feasible. This is a contradiction because one can 
prove (in Lemma 6.3.2 below) that J-' C om is not Q-CUC feasible, i.e., there exists 
no (quantum) protocols that Q-CUC emulate .Fcom- The argument is similar the 
classical impossibility proof of UC commitments [CF01]. □ 
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6.3.1 Impossibility of Quantum UC Commitment 

Canetti and Fischlin [CF01] show the impossibility of realizing J r C o M in the plain 
model achieving computationally classical UC security 3 . Roughly speaking, if a 
protocol 7r UC-realizes J-com, then an ideal world simulator S should be able to be 
constructed and satisfy the following properties: 

• When the committer is corrupted (i.e., controlled by the adversary), S must 
be able to “extract” the committed value once the commitment phase is 
done. That is, S has to come up with a value x such that the committer will 
almost never be able to successfully decommit to any x' ^ x. This is so since 
in the ideal process S has to explicitly provide J-com with a committed value. 

• When the receiver is uncorrupted, S has to be able to generate a simulated 
commitment c that looks like a real commitment and yet can be opened to 
any value, to be determined at the time of opening. This is so since S has 
to provide adversary A and environment Z with the simulated commitment 
c before the value committed to is known. All this needs to be done without 
rewinding the environment Z. 

Intuitively, these requirements look impossible to meet: A simulator that has the 
above abilities can be used by a dishonest receiver to “extract” the committed value 
from an honest committer. This intuition can indeed be formalized to show that in 
the plain model it is impossible to UC-realize J-'com by any two-party protocol. This 
idea extends to the quantum UC setting naturally, and we can show the following 
theorem. 

Lemma 6.3.2. There exists no protocol in the plain model which computationally 
Q-CUC realizes the commitment functionality A cm- 

Proof. Suppose, for contradiction, that there exists (possibly quantum) protocol 
II that quantum-UC-emulates Zcm- Assume at the end of the commitment phase, 
receiver acknowledges the committer by a ACK message. Consider an execution 
of II by an adversarial committer Ac and an honest receiver It. and WLOG we 

3 Note that, statistically, commitment is impossible from scratch even in the stand-alone 
model [May97, LC97]. 
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assume that the adversary merely forwards the communication messages between 
the environment Zq and the honest receiver R (Note that this adversarial behavior 
is implementable by a quantum adversary as the adversary does not need to apply 
any transformation on the state and merely forwards it). Here Zq privately chooses 
a random bit b at the beginning and then runs the protocol of the honest committer 
based on input bit b and R's answers, and then in the name of the committer sends 
the generated messages to R. Once Zq received a ACK message from R at the end 
of committing stage, it starts running the honest opening protocol in the name of 
the committer, and receives bit b' from R at the end of opening stage. Finally, 
Zc outputs 1 iff b' — b. We know that if both committer and receiver are honest 
in an execution of n, then in the opening phase the receiver always outputs the 
bit committed to by the committer, i.e., b' = b always holds. By assumption that 
7 T quantum-UC-emulates J-com, there should exist an ideal world simulator S that 
interacts with J-'com and generates a view for Zq that is indistinguishable from a 
real execution with n. We note that the view could consist of quantum messages 
and/or classic messages. In particular, S must make sure b = b' almost always, 
where b' is the bit that S sends to J^om- This means that the simulator S must be 
able to generate the correct bit b before the opening phase. 

Next based on this S, we are able to construct another environment, Zr, and a 
corrupted receiver Ar , such that Z R successfully distinguishes between an execu¬ 
tion of n and an interaction with for any simulator Sr. Z R and Ar, proceed as 
follows: Zr chooses a random bit b and hands b as input to the honest committer 
C; Ar simply runs S and forwards all interaction between the committer and S 
(again this strategy is implementable by a quantum adversary as the adversary 
does not need to apply any transformation on the state); once Ar receives a bit 
b' , it is passed to Zr who then outputs 1 iff. b = b'. 

Note that S can extract the committed bit b almost always, without rewinding 
or any additional information. In contrast, when Zr interacts with J-com, the 
Sr 1 s view is independent of b, and thus b = b' with probability exactly one half. 
Therefore, Zr can tell the difference between its interaction with the real world or 
with and ideal world for any Sr. 

□ 
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6.4 The Reductibility Landscape 

In this section we bring the pieces together and describe the cryptographic com¬ 
plexity landscape for U ~in the quantum world. In the case of computational 
quantum-UC security, we can derive a zero/one law in the flavor of [MPR10]. For 
statistical quantum-UC security we show that, roughly speaking, every T G U~ 
is either statistically quantum-UC feasible, or J-'is statistically quantum-UC com¬ 
plete, or J~ kqr statistically quantum-UC reduces to T. 

6.4.1 Computational Security: A Zero/One Law 

Our quantum lifting theorems for feasibility and completeness imply that all com¬ 
putational UC complete (resp. UC feasible) functionalities in U~aie also computa¬ 
tional quantum-UC complete (resp. quantum-UC feasible). Using this fact along 
with the classical zero/one law, one can derive a zero-one law for the computa¬ 
tional quantum-UC setting in a straight-forward manner. This proves the following 
theorem : 

Theorem 6.4.1 (A Computational Zero/One Law). Every functionality T G U~ 
is either computationally quantum-UC feasible or computationally quantum-UC 
complete. 

As a straightforward corollary of the above theorem we can conclude that the 
quantum lifting theorem for completeness can be made bi-directional in the com¬ 
putational setting. Theorem 6.2.1 already states that computational completeness 
of some T G U~ in the classical setting implies computational completeness of T 
in the quantum setting. In the other direction, if T is Q-CUC complete, then The¬ 
orem 6.4.1 implies that it is not Q-CUC feasible, which implies (by Theorem 6.3.1) 
that it is not C-CUC feasible; hence, the computational (classical) zero/one law 
implies that T is C-CUC complete. This proves the following: 

Corollary 6.4.2 (Quantum Bi-lifting of Computational Completeness). Let T G 
U~ be a functionality. Tis computationally UC complete under the semi-honest OT 
assumption shOT if and only if Tis computationally quantum-UC complete under 
the assumptions of existence of a quantum-secure pseudorandom generator and a 
dense encryption that is quantum IND-CPA. 
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6.4.2 Statistical Security: Three Classes 

We next turn to the setting of statistical security. In the classical setting, the 
cryptographic-complexity landscape is complicated. Apart from the complete and 
feasible functionalities, there is a partition of the set IA~ in clusters for which the 
exact relation is not known. In contrast we can show a “[zero/xor/one]-law” in 
the statistical quantum-UC setting. In other words we can divide the class W~into 
functionalities that are either complete, or feasible, or we can reduce J-xor to them. 
This considerably simplifies the landscape of the classical statistical setting, as the 
hierarchy of functionalities that we can reduce J- 2 cc to collapses at the second level 
(i.e, to J- 2 cc) which is in fact complete in the quantum setting. This illustrates, 
as [UnrlO] mentioned also, that the inverse of the Unruh’s quantum lifting lemma 
is in general not true, which is formalized in the following lemma: 

Lemma 6.4.3. There exist classical well-formed infeasible functionalities Tand 
T' such that there exist an T-hybrid quantum protocol which statistically quantum- 
UC securely realizes T ', but there exists no T-hybrid (classical) protocol which 
statistically (classic) UC realizes T'. 

Proof (sketch). For the cut-and-choose functionality T 2CC , it is shown in [MPR09] 
that J'scc is not statistically UC complete, which implies that there exists no T 2CC - 
hybrid protocol which statistically UC securely realizes the oblivious transfer func¬ 
tionality Indeed, the existence of such a protocol together with the statistical 
UC completeness of would imply statistical UC completeness of T 2C c • How¬ 
ever, as shown in Theorem 5.2.1 there exists a quantum J-^cc-hybrid protocol which 
statistically quantum-UC securely realizes Tqi- □ 

The following theorem states the aforementioned zero/xor/one-law: 

Theorem 6.4.4 (A [zero/xor/one]-law for the information-theoretic setting). Let 
T G U~. Then exactly one of the following statements holds: (1) Tis quantum-UC 
feasible, (2) Tis quantum-UC complete, and (3) Tis neither quantum-UC complete 
nor quantum-UC feasible and J^or U qQ ~ suc T. 

Furthermore, for each of the three statements, there exists at least one T G U~ 
which satisfies it. 
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Proof (sketch). The proof proceeds in two steps: First (Claim 6.4.5) we show that 
either Uis quantum-UC feasible, or at least one of the following two statements 
holds: (1) Uis quantum-UC complete and (2) Uxor C qQ_suc U. In a second step, 
(Claim 6.4.6) we show that U X or is not UC complete. Because (1) U X or is also 
not statistically quantum-UC feasible (otherwise, this would imply that it is also 
computationally (classical) UC feasible contradicting the results of [MPR10].) and 
(2) statistically quantum-UC feasible functionalities are not statistically quantum- 
UC complete (as implied by Lemma 6.3.2), we can deduce that there is at least 
one functionality that satisfies each case. 

Claim 6.4.5. Either U is quantum-UC feasible, or at least one of the following 
two statements holds: (1) U is quantum-UC complete and (2) .Uxor C qQ_suc U. 

Proof. Fact 6 combined with Theorem 5.2.1 and the completeness of U C o M imply 
that when U is not feasible then U DT jZ'iQ-suc jr or J^ XQR [yqQ-suc jr qq ie statistical 
LIC completeness of U 0T implies (Theorem 6.2.1) statistical quantum-UC com¬ 
pleteness of Uq T , hence, U QT |T qi:i “ suc J implies that Uis statistically quantum-UC 
complete. Furthermore, the feasibility quantum lifting theorem (Theorem 6.3.1) 
implies that Uo T and U XO r are not statistically quantum-UC feasible (as this would 
imply that they are computationally (classical) UC feasible contradicting the re¬ 
sults of [MPR10].) □ 

Claim 6.4.6. The functionality U X qr is not statistically quantum-UC complete. 

Proof. The proof proceeds in two steps: In a first step we show that Uxor is statis¬ 
tically quantum-UC equivalent 4 to the simultaneous exchange functionality U EXC h 
which allows two parties each having input one bit to fairly and securely exchange 
their inputs. In a second step, we show that U E xch is not quantum-UC complete, 
which, as U EX ch is equivalent to U X or, implies that Uxor is also not quantum-UC 
complete. 

Step 1: One can classically implement U EX ch from U X or as follows: Alice and Bob 
input their bits 6 a and b B , respectively, into the U X or functionality and obtain the 
output y. Alice outputs yA = V © and Bob outputs y B = y®b B . Similarly, one 

4 By this we mean that there exists a protocol statistically quantum-UC realize Uor from 
Texch and vise versa. 
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can classically implement J-'xor from J^xch as follows: Alice and Bob input their 
bits 6 A and 6 b, respectively, into the J-exch functionality and obtain their respective 
outputs da and ys] they both output y — jja © Vb■ Both implementations are 
trivially statistically (in fact, even perfectly) UC secure in the classical stetting; 
hence, the quantum lifting Theorem [UnrlO] implies that there are also statistically 
quantum-UC secure reductions between J-exch and J-xor- 

Step 2: For proving that J-rxch (hence also J-xor) is not statistically quantum- 
UC complete, it suffices to prove that one cannot construct a quantumly secure 
commitment scheme assuming J-exch (on top of regular communication). This is 
an easy extension of the impossibility proof of quantum commitment by Lo and 
Chau [LC97]: the key idea in [LC97] is that a dishonest committer (Alice) could 
purify her operations and make sure at the end of the committing phase, the 
joint state with the receiver (Bob) will be a pure state |'l ,b AB ), where 6 is the bit 
Alice is supposed to commit. But the hiding property, which we assume is perfect 
for simplicity, requires that hr A (|T° lB )('F° 1B |) = tr A (|^ A s)(^Asl) = : Pb■ This 
immediately implies that and |\l/\ s ) are just two possible purifications of 

the same p# and by Uhlmann’s theorem, there exists a unitary Ua operating on 
Alice’s system alone that transforms | ^ b AB ) into Thus Alice breaks binding 

completely. Here we use a generalization by Winkler et al. [WTHR11], claiming 
that if the joint state is pure conditioned on the symmetric classical information 
available to both Alice and Bob, then analogous transformation also exists. Now 
observe that, given any quantum protocol with a classical fair-exchange channel 
Texch, the classical information will always be symmetric to two parties, and a 
dishonest Alice can as well purify her operations and apply the transformation, 
guaranteed by [WTHR11], to break the binding property. 

This completes the proof of the theorem. □ 

□ 

To complete the picture in Figure 6.1 we need to show that not only J^cor 
is not complete, but the whole “exchange-like hierarchy” from [MPR09] consists 
of incomplete primitives. This hierarchy is a family of primitives, denoted by £, 
that correspond to simultaneously exchange channels (of the type of -Fexch) for 
different input lengths. In other words, £ consists of two-party functionalities 
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•^exch^ 1 ’^) where (^ 1 ,^ 2 ) € N 2 , defined as follows: .Texch^ 1 ’^ takes from Alice a 
message xa G {0,1} £i and from Bob a message xb G {0,1}^ 2 ; it returns to Alice 
Xb and to Bob xa■ Note that all the primitives in this hierarchy are sufficient for 
implementing J-xor and, therefore, are not UC-feasible. Additionally, it is straight¬ 
forward to verify that the proof of Claim 6.4.6 goes through even if we replace J-xor 
by any of the primitives in £. 

This proves the following: 

Lemma 6.4.7. For any F exch^ 1 ’^ G £: F exch^ 1 ’^ is neither statistically quantum- 
UC complete nor statistically quantum- UC feasible. 



Figure 6.1. The feasibility/completeness landscape for the class of deterministic finite 
two-party functionalities in the statistical quantum-UC setting. The set U ~corresponds 
to the white area. The solid lines represent separations between non-equivalent primitives 
which exist both in the quantum-UC and in the classical-UC setting. The dotted lines 
represent separations that exist only in the classical-UC setting. The three dots over 
1XOR (resp. 2CC) represent the infinite hierarchy of XOR (resp. CC) primitives which 
was proved by [MPR09, KMQ11], Note that in the classical setting both hierarchies are 
strict, i.e., lower primitives are separated from higher, but in the quantum setting the CC 
hierarchy collapses at the second level, as 2CC is quantum-UC complete (Corollary ??). 
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Figure 6.2. The feasibility/completeness landscape for the class of deterministic 
finite two-party functionalities in the computational quantum-UC setting. The set 
^“corresponds to the white area. The solid lines represent separations between non¬ 
equivalent primitives. The picture is the same in the quantum-UC and in the classical- 
UC setting. 




Chapter 

A Reduction from Finding Units in a 
Number Field to a Hidden Subgroup 
Problem 

In this chapter we show that hireling the group of units of in a number held ar¬ 
bitrary degree (hereafter referred to as Unit-Finding) can be reduced to a Hid¬ 
den Subgroup Problem (HSP) instance. The best known classical algorithms for 
Unit-Finding take exponential time. In contrast, our work demonstrates the po¬ 
tential of an efficient quantum algorithm because most quantum algorithms that 
have an exponential speedup over the best known classical algorithms involve solv¬ 
ing an HSP. For example, Shor’s quantum factoring algorithm reduces factoring 
to the HSP over Z, and then he gave an efficient quantum algorithm solving this 
specihc HSP instance. 

Before our work, it was known that UNIT-FINDING in number holds of constant- 
degree d reduces to an HSP over R d , which can be solved by a poly-time quantum 
algorithm. However, there are fundamental difficulties of extending the reduction 
to arbitrary degree case. Our result thus makes the hrst important step towards 
a complete efficient quantum algorithm for UNIT-FINDING in arbitrary degree. 
We leave as an open question to hnd an efficient quantum algorithm to solve the 
HSP instance proposed in our reduction. The material of this chapter is adapted 
from a joint work with Eisentrager, Hallgren and Kitaev [EHKS13]. 




107 


7.1 Defining the Problems 

Unit Finding. A number filed F is a finite extension of Q. Its ring of integers Ok 
is defined as the set of elements in F that are the root of some monic polynomial 
in Z[A], We will be interested in invertible elements in Ok, which form a group 
0*k { u e '■ G Ok with uv = 1}. 

Definition 7.1.1 (Unit-Finding). Let F be a number field of degree n. Given a 
description of the ring of integers Ok of F, find the group of units 0* K . 

Here the description of Ok is given by a Z-basis {ay,..., c o n } together with its 
multiplication table. The multiplication table is a set of n 3 integers which defines 
the multiplicative relations of {ay} in F: uiiUij = Y^k=i Cijk^k- In this way any 
a G Ok can be uniquely written as a = a iUi, a* G Z and in addiction {ay} 
also gives a Q-basis any for F. Because the units can have exponential length in 
this representation, we actually need to compute a basis for a standard embedding 
of 0* K into the real space which forms a lattice. The running time of computations 
in F is parameterized by n and the size of its discriminant A (i.e., log A). A 
is the determinant of the matrix [TV (oyar,-)]*,,■, where Tr is the trace map. More 
background about computational issues in number fields can be found in [Thi95]. 

Hidden Subgroup Problem. In an HSP instance, we have a group G and an 
efficiently computable function /, mapping G to a set, which hides a subgroup H 
in the sense that / is constant within each coset of FI , but takes distinct values 
on different cosets. Our goal is to find a set of generators of H. It is known that 
there exist efficient quantum algorithms that solve the HSP on any finite Abelian 
group, Z fc , [R r with r constant and some special non-Abelian groups. We refer 
to [Lom04] for a survey on HSP. 

Definition 7.1.2 (HSP over G: standard definition). Given (G,f) as input such 
that there is a subgroup H < G satisfying the following properties: 

1. f(x) can be computed in polynomial time for any igG. 

A }{x) = f(y ) for any x-y G H; 

3■ f(x) f(y) if x — y £ H. 
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Given such an efficiently computable function f, compute a set of generators for 

H. 


In our work, we will work with the continuous group [R m , in which the usual 
HSP formulation does not extend smoothly. For example, for a transcendental 
number x, it is not possible to check if f(x) = /(0). Instead, we make the following 
generalized definition: 

Definition 7.1.3 (The continuous HSP over [R m ). The unknown subgroup A C [R m 
is a full rank lattice satisfying some promise: the norm of the shortest vector is at 
least X and the unit cell volume is at most d. Let f : —$■ S be a function, where 

S is the set of unit vectors in some Hilbert space. We assume that f hides A in 

the following way. 

1. f is periodic on A: for all v G A, x G IR m , f(x) = f(x + v); 

2. If min t , eA \\x - y - u|| < r x , then \(f(x)\f(y))\ > 1 - £ X ; 

3. If min„ eA \\x - y - u|| > r 2; then \ {f(x)\f(y))\ < 62 - 

Given such an efficiently computable function f, which we call a (rq, r 2 , eq, e 2 )- 
oracle function, compute a basis for A. 

We may strengthen the second condition to satisfying the Lipschitz property. 
Namely, |||/(x)) — \f(y))\\ < a ■ dist(x, y) for all x, y G R m . This gives a stronger 
version of our HSP definition. It is not yet clear if the two definitions are actu¬ 
ally equivalent, the Lipschitz property in the stronger version seems to make the 
HSP instance easier to solve. 

Definition 7.1.4 (The continuous HSP over R m : stronger version). The unknown 
subgroup A C [R m is a full rank lattice satisfying some promise: the norm of the 
shortest vector is at least X and the unit cell volume is at most d. Let f : R ,n —* S 
be a function, where S is the set of unit vectors in some Hilbert space. We assume 
that f hides A in the following way. 

1. f is periodic on A: for all v e A, x e f(x) = f(x + v); 

III f(x)) ~ | f(y)) || < a ■ dist(z, y) for all x, y e R m ; 
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3. If min t , eA || x-y - u|| > r, then \\(f(x)\f(y))\\ < e. 

Given such an efficiently computable function f, compute a basis for A. 

History on Solving Unit-Finding on a Quantum Computer. Computing 
the unit group appears to be hard classically. The best classical algorithm takes 
exponential time. Actually, merely solving the degree one case would imply an effi¬ 
cient classical factoring algorithm. In contrast, efficient quantum algorithms exist 
for constant degrees [Hal07, Hal05, SV05]. In particular they showed a reduction 
of this problem to the HSP over R d with d constant. However, their reduction 
(at least) requires solving a shortest vector problem in a lattice, which is feasible 
in constant dimensions, but believed intractable even for quantum computers in 
higher dimensions. This difficulty, among others, prevents extending the reduc¬ 
tion to arbitrary degree field extensions. As shown in next section, we propose 
new ideas to get around these difficulties, and reduces Unit-Finding in a number 
held of arbitrary degree to a HSP instance over IR m as in Definition 7.1.3. 

7.2 Main Result and Proof Idea 

Our main result is showing that UNIT-FINDING reduces to (continuous) HSP as 
in Definition 7.1.3. 

Theorem 7.2.1. Given as input Ok of a number field K with degree n, there 
is function g which is an HSP instance over R m with m = 0(n), as per Defini¬ 
tion 7.1.3. In addition, g can be computed efficiently on a quantum computer. 

Overview of the reduction. There is a canonical embedding of Ok into a 
subset G C [R m , for m = O(n). Then the embedding of 0* K will be a full-rank 
lattice A in G , and our goal becomes computing a basis for L. We refer to [Thi95] 
for a gentle review on number-theoretical background. 

Our algorithm involves two subroutines. The first one is classical and the second 
one is quantum. They constitute a realization of a quantum oracle: 


g : G —* quantum states : 1 1 -> |/(£)). 
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Here | fit)) is a double Gaussian superposition which encodes a lattice into a 
quantum state. 

The first subroutine computes a mapping / which maps a real vector t into a 
lattice L t C [R n with the HSP property. Namely, any t — t' G A will end up with the 
same lattice L t = L t ', and if t — t' ^ A, Lt ^ L t >. However, for real-valued lattices, 
there is no unique representation 1 . Moreover, because of the finite precision for 
computation with real numbers, we can only compute an approximate basis B t of 
a lattice. As a result, we obtain a function with approximate HSP property. This 
step is not the main focus of this thesis. Here we only state the main statement 
without proof, and refer the readers to our paper [EHKS13] for details. 

Proposition 7.2.2. Let A C G be the embedding of 0* K . Let Br C [R n be the 
ball around the origin with radius R = n 3 ^ 2 2 2n \/n n d. There is a poly-time classical 
algorithm that computes function f : G —>• Q nxn where fit) is a basis for a lattice 
in Q n satisfying: 

1. If dist((£ — t'), A) < r\, then there is a one-one correspondence h : L( B t ) —> 

L{ B t /) such that \/u G f~l Bjt, ||u ^ ft |. 

2. //clist((t— t'), A) > r 2 , then 3/ C L(B t ) and I' C L{ B t /) such that ||a;— x'\\ > /?2 
for (x,x r ) fi I x In addition /5 2 > 87r 2 n 3 /li. 

The second step is to create a double-Gaussian state | fit)) representing the 
lattice L t . Basically, each lattice point corresponds to a superposition of neigh¬ 
boring points in a sufficiently foie discrete grid, and the amplitude decreases with 

-7T til 2 

the distance to the lattice point according to a Gaussian function g t {-) := e 7 r- t 2_ . 
Then another (outer) Gaussian superposition encodes the overall structure of the 
lattice. Such an encoding has the property that small deformation in a lattice 
results in small change in its quantum encoding, whereas substantially different 
lattices will be mapped to almost orthogonal quantum states. This combined with 
the classical mapping / gives us the HSP function g with properties we want as in 
Definition 7.1.3. The formal statement can be found in Theorem 7.3.6. 

1 In contrast, for integral (or rather) rational lattices, we can take a basis in HNF form as the 
canonical and unique representation. 
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7.3 Reduction Details: Double Gaussian Quan¬ 
tum Encoding 

In this section, we discuss formally the double-Gaussian quantum encoding and 
its properties. We also show how to implement such an encoding by an efficient 
quantum algorithm. Once these tools are ready, we can show the correctness of 
the function g we get in our reduction. 

Let L, II C [R n be lattices. In a double-Gaussian quantum encoding, we have an 
outside Gaussian with parameter s which will determine the set of lattice points 
we will consider. An inside Gaussian over a discrete grid with parameter t, for 
handling rounding errors, will be placed around each point. The Gaussian placed 
around a point will be wide enough so that for two different vectors that are close, 
their associated Gaussian “bumps” will have large overlap. Finally, we must ensure 
that different points of L and L' that are not the same are far enough apart so 
that the inner Gaussians for two different points are very far apart and have small 
inner product. Overall, the inner product between the quantum encodings of two 
lattices will be determined by the fraction of lattice points in L x L' that are close 
by. 

More precisely, let G := 5 Z n denote a discrete grid with side-length 5. 5 is prop¬ 
erly chosen so that Proposition 7.2.2 holds. The double Gaussian superposition 
over L is: 


\ L ) -=<xY 9s ^ Y 9t(y)\ x + y) 

xGlL y£8~Z n 

with proper normalization factor a. 

In reality, we can only prepare a state with finite superposition to approximate 
| L). Moreover, we only have a rational basis B up to a certain precision that 
generates an approximation for L E R n . But we can make sure that in the finite 
region that matters the rational vectors approximates the real vectors in L with 
sufficient precision. 

Specifically let L := 5(B) be a lattice in Q n . Define the truncated sets L = 
L\^ s and G = G |y^ t , where S\ r := S fl 5(0, r) denotes the elements of S inside 
the ball 5(0, r) C [R n around the origin of radius r. The actual state we use that 
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encodes L will be the normalized version of: 

\L) '■= ^2^29s( x )gt(y)\x + y) . 

x£L y&G 

One useful fact states that the summation of the Gaussian function over a 
lattice is actually concentrated on a bounded region of the lattice. More precisely, 
g s (L\/^ s ) > (1 — 2 ~ 2n )g s (L). This means that | L) is exponentially close to the 
state with superposition over the whole infinite lattice, and they behave almost 
identically as far as any poly-time quantum operations are concerned. 

We want to show a nice property of the double Gaussian encoding, which states 
that a small deformation in a lattice results in a small change in its quantum encod¬ 
ing, whereas substantially different lattices will be mapped to almost orthogonal 
quantum states. To this end, we study the inner product of the double Gaussian 
states that encode two lattices in the next section. 

7.3.1 Inner product between double Gaussian states 

Let L and L' be two lattices in Q n . They are rational representations of some 
real valued lattices. If two real-valued lattices intersect in some sublattice, then 
the rational representations of the lattices will each have a sub-lattice that can be 
paired up by close points. Let | (p) and \ip') be the finite double Gaussian encodings 
of L and L' respectively: 


i^> : =EE 

x&L y&G 

w-EE 

x£L' y&G 


1 9 s(x) g t (y) 
9s(L) V g t {G) 


\x + y), 


9s{x) gt(y) 

9 s{L') V g t {G) 


I x + y) 


Proposition 7.3.1. Given lattices L and L' in Q n , sublattices I C L and /'CL'. 
Assume there is a 1-1 correspondence h : I /' s.t., for any (x,x') e L x L' ; 

(a) if(x,x') G C := {(u, v) e / x /' : v — h(u)}, then \\x — x'\\ < f3i 

(b) otherwise ||a; — a;'|| > /? 2 - 
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Then 

<vV> e (l ± ff) 

whenever s,t> 47 T 2 n 5 ^ 2 / 3 i and 02 > 1t\fn. 


gJj) 

\!9 s{L) 9 siL') 


Here /3i can be interpreted as an upper bound on the error introduced by 
rounding, and p 2 is the minimum distance between pairs of points in L x II — C. 
We need a few technical lemmas below to prove Proposition 7.3.1. 


Lemma 7.3.2. Let u,v G [R n with ||u|| < £ and ||w|| < d. Then g s (v + u) € 

2 £d-\-£^ 2id _ 

[e _7r ^ ■ g s (u). In particular, if s > 2irn ■ ma x{v£d,£}, g s {v + u) G 

(1 ± ±)-g s (u). 


Proof. g s (v + u) — e 


= 9s\ u ) ■ e 


__ 2 (-u,u) + ||i;|| 

~' K 72 


By the Cauchy-Schwarz inequality |(n,u)| < ||w|| • ||v||, we have 


9s{u)e 


r 2jHHH|+JM[ 


< g s (v + u) < g s {u)e~ 


Since ||u|| < £ and ||u|| < d, we have 


^ II+IK 


> e 


_ 2 id+r 


and 


< e 71 


, _ zta+t _ zza 

Finally, if we pick s > 2im • maxjv^d, £}, then e >1 — ^ 2 , and e ~^ < 

1+ J 2- □ 

n z 

Corollary 7.3.3 (Sets). Let v G R n , S C R n with ||v|| < £ and ||x|| < d, \/x G S, 
then g s [y + S) G (1 ± \)g s (S) whenever s > 2rrn ■ max{\Z£d, £}. 

Proof. By Lemma 7.3.2, g,(v + S) = + x) = Eiesl 1 ± j'LUj = 

(1±^)9.(S). □ 

Corollary 7.3.4. Let I and /' be lattices satisfying that there is a 1-1 correspon¬ 
dence h : I —>• I 1 s.t. ||a; — h(x)\\ < £,\/x G I. Then g s (I) G (1± whenever 

s > 47 r 2 n 5 ^ 2 £. 

Proof. 


9s(I) = Y 9s{x) = Y 9s(h(x) + (x- h(x))) 

xGl xGl 
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1 

1 ± ~2 
n z 


X&I 


^9s{h{x)) = (1 ± — j ■&(/'), 


if s > 27m max{ y/£y/ns, £} = 4n 2 n 5 / 2 £ by Lemma 7.3.2. □ 

We then derive a lemma characterizing Gaussian summations on a lattice and 
its proper sublattices. 

Lemma 7.3.5. Let I be a proper sublattice of L, then f or an y n > 2 

and s > 47r 2 n 3 A n (L). 

Proof. First we argue that we can pick a v E L but not contained in /, with length 
|M| < y/n\ n (L). The existence follows from the fact that for any lattice L, there 
is a basis B = {bi : bi G Q m }” =1 of L such that || 6 j|| < — 1,... , n, where 

A i(L) is the ith successive minimum of L. If there is no such v, that would imply 
/ contains all vectors in L of length < \Jn\ n {L ), and hence contains a basis of L , 
contradicting the assumption that / is a proper sublattice of L. Then observe that 
L at least contains lU(v + I), and therefore g s (L) > g s (v + I) + g s (I) > g s (v + I) + 
g s (i) > (2 - ^)g s (I) by Corollary 7.3.3, if s > An 2 • n 5/2 • ^/n\ n (L) = 47 r 2 n 3 A n (L). 
Then g s (L) > (1 - 2~ 2 n )g s (L) > (2 - ^)g s (J) and hence < ^ 7^2 < 2/3 
when n > 2 . □ 

We are now ready to prove Proposition 7.3.1. 

Proof of Proposition 7.3.1. 

W) = 

“ E E \/ gs{x)g s (x')g t {y)gt{y'){x + y\x' + y') 

y,y'eG xeL^'eL' 

= a V9s{x)g s (x')gt(y)g t (y'){x + y\x' + y') 

||x—X '||<^1 y,y'eG 

+« E E V9s{x)g s (x , )gt{y)gt(y , ){x + y\x' + y') 

\\x-x'\\>I 32 y,y'£G 

= : a(A + B ) 
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where a : = 


g t (G)Jg s (L)g s (U) 


-l 


Next we show that, picking proper s and t, 


A is approximately g t (G)g s {I) and B is 0. 

First we show that Ae (1±|)- g s (I)g t (G ) whenever s,t > 47r 2 n 5//2 / 9 1 . 


A = V 9 s{x)g s (x , )gti.y)gt(y , ){x + y\x' + y') 

\\x-x’\\<pi y,y'£G 

= V 9 s(x)g s (x') ^2 V 9t(y)gt(y')(x + y\x' + y') 

x£l,x'=f(x) UiV' 

( e g t (G)\j 1 ± ^ 

x£l ,x'=f(x) 

€ 9«(G)(1 ±4) 9 ,(/). 

n z 

Here we apply Lemma 7.3.2 with u = y, v = y 1 — y = x — x 1 , t > 47r 2 n 5 / 2 /3i in (1), 
and with u = x, v = x — x\ s > 47r 2 n 5 / 2 /3i in (2). 

Next we show that B = 0. Summing over and x' E L', 

B= V9s{x)gs{x')gt(y)gt(y'){x + y\x' + y')- 

lh-^'ll>A2,2/,y'eG 

For (x + i/lx' + i/') = 1, it must hold that ||x —x 7 || = \\y — y'\\. Since ||y — y'\\ < 2 ty/n 
and /3 2 > this never happens. 

Therefore, we have that (</?|</?') G (1 ± -%) • —t==£L==. □ 

n v gs{L)g 3 (L') 

7 . 3.2 Correctness of Reduction 

Recall that in our reduction, the HSP oracle function g is defined to be the com¬ 
posed mapping which maps a real vector into a (basis of a) lattice and then encodes 
the lattice into a double-Gaussian superposition. Namely 

g : R n ->• S 

t H» | L t ) : = E E g s (x)g t (y)\x + y) normalized. 

X&L{f(t)) y£G 
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The main theorem we want to show is that g satisfies the HSP properties as in 
Definition 7.1.3: 

Theorem 7.3.6 (HSP Property of g ). Choose s = n2 2n \/n n d and t = 47r 2 n 5 / 2 /3i. 
Let t, t' e K m . Then 

• if min„ eA ||t - t' - v|| < n, then \(g(t')\g(t))\ > 1 - 4/n 2 ; 

• if miiiygA ||£ — t' — n|| > r 2 , then \(g(t')\g(t)}\ < 3/4. 


Thus we get g as an (r 1; r 2 ,4/n 2 , 3/4) oracle function. To amplify the parame¬ 
ters, we can define g : 1 1 -» \L)® n . It is easy to verify that g is an (r l5 r 2 ,4/n, (3/4) n ) 
oracle function. 

With the tools developed so far, the theorem follows straightforwardly. 

Proof. Observe that in Proposition 7.2.2, when min„ e A \\t — t'~ v|| < ri, it leads to 
the case that I = L and I’ = L 1 in Proposition 7.3.1; whereas min„ e A ||t — t' — u|| > 
r 2 leads to the case that I C L and I’ C LI in Proposition 7.3.1 2 . We now analyze 
the two cases. 

If I = L and I' = L', by Proposition 7.3.1, we obtain 


(L t '\L t ,) > 








since >1 —\ by Corollary 7.3.4. 

g s (L ) n 

If / C L and I' C L', we apply Proposition 7.3.1 and obtain 


(L t '\L t ,) < 



< 




2 Proposition 7.3.1 requires that pairs (x,x') £ I x I' have small distances, which is not 
necessarily true in Proposition 7.2.2. Nonetheless, we will only need the upper bound on the 
inner product in this case, which still holds without the extra condition. 
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where we applied Lemma 7.3.5 to get p s (L) > | p s (I) and p s (L')>^p s (I'), and 
applied Corollary 7.3.4 to get p s (I ')>(1 — \)p s {I). These inequalities hold for any 
n > 5 and s > 47t 2 n 2 • max{A n (L), A n (L')}. 

□ 


7.3.3 Computing the double Gaussian superposition 

We show how to generate 



v + w) 


efficiently for any lattice L C (Q n with s > C 2 n , C > ri2 n \Jn n d and Ai(L) > 
2 n / 2 y/nt. Note these conditions on parameters are satisfied in our main Theo¬ 
rem 7.3.6. 

First the inner Gaussian, a superposition over G: y/gt(w)\w). We hrst 

create a Gaussian state over Z n with parameter tS^ 1 . This can done by hrst 
creating n copies of 1-D Gaussians via a standard procedure, e.g., [GR02], Namely 
one can approximate X^ ; ez V'9ts- 1 ( w i) 7 9t{^-)\ w i) for i = 1,..., n by a Gaussian 
superposition over integers within a finite region Then we 

take their tensor product and get 



Uigts-i(wi) 


\wi.. 


■W r 



9ts-i (w) 
g t s-i( Zn ) 


w) 


observing that Ihy/^-i (w t ) = e 7r ll“’ll 2 /h' 5 1 ) 2 . Then apply a division by <5 1 , we 
obtain 

Next the outer Gaussian, a superposition over lattice points: y/g s (v)\ v ). 

The central idea comes from [KW08]. Let A := B 7 B be the Gram matrix of 
a LLL-reduced basis B. Then A can be decomposed into A = LDL T where 
D = diag(dj) is a diagonal matrix with d, > 0 and L is a lower triangular shearing 
matrix with diagonal entries one. We adapt the generating procedure of multiple- 
dimension Gaussian superposition of [KW08] into our setting, and prove explicitly 
the correctness. The algorithm is as below. 
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(a) Create a state that approximates e ~* s2 I 3 ')- This done by creating 

n instances of 1-dimensional Gaussian superpositions, as discussed above, 
with parameter s/\fdi in each respective dimension. 


(b) Apply change of variable x = Ly, and get 


E 


Lye Z" 


\ L v) = E 


. \\BvV 


LyEZ 71 


I Ly). 


(c) Apply transformation U : \z) i->- | z),Wz G Z n , where z is ( L T )~ l z followed 
by taking coordinate-wise floor. This gives E*ez™ + £ z ))|^);j; with 

£ z ■= z - 2 . 


(d) Multiply by basis B, we get 10) := E ze z« 9s( B(z + £ Z ))|B^). 

Because L is a unit lower diagonal matrix, It is not hard to verify that mul¬ 
tiplication by (L T ) -1 and taking the floor is an efficient reversible classical op¬ 
eration, and thus can be implemented efficiently on a quantum computer. Next 
notice that, except with the approximation error in step 1, the algorithm gen¬ 
erates |0). We argue that with proper parameter s, |0) can be made expo¬ 
nentially close to the desired Gaussian superposition over lattice points L(B), 
which is |0) = E-e Z ™ fls(B0|B0. Roughly speaking, the only difference in 
the amplitudes of |0) and |0) is the “noisy” shift Be 2 . We show below that 
||Be 2 || < C := n2 n \Jn n d. Lemma 7.3.2 then tells us, picking large enough s, e.g., 
s > C ■ 2 n , g s (x + e x ) ~ g s (x) with exponentially small error. Thus the two states 
will also be exponentially close. 

We are left to derive an upper bound C on ||Bs,||. Note that each coordi¬ 
nate of £ 2 lies in [0,1). That means ||B£ 2 || is at most the diameter of the fun¬ 
damental parallelepiped, which is upper bounded by n2 n \ n (L) since B is LLL- 
reduced. Minkowski’s theorem tells us that IRA* < \/n"det(B). Since A., >10 = 
1, ...., n — 1, we get A n < \/n"v^. Therefore ||B£ 2 || < C := ri2 n Vn n d. 

Finally, create the double-Gaussian: E v eL W eG V 9 s( v )9t( w )\ v + w). First cre¬ 
ate inner and outer Gaussian on two registers (omitting normalization factors): 
E „ e l V 9 s(v)\v) ® E«;eG V 9 t(w)\w). Next we perform: 

A E D ^ yj g s (v)g t {w)\v)\v + w) 

v€L,wEG 
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$ y/ 9 s(v)gt(w)\ 0 )\v + w) 

V€lL,W€lG 

where in (*) we apply a CVP oracle CVPi^+u,) to erase v on the first register. Since 
we have Ai(L) > 2”/ 2 y / nf and ||w|| < y/nt (except with negligible probability), we 
can use Babai’s nearest-plane algorithm [Bab86] to find the unique closest vector 
exactly. 
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